[Cryptography] Toxic Combination
Andreas Briese
ab at bri-c.de
Thu Dec 4 04:59:48 EST 2014
Am 04.12.2014 um 08:21 schrieb Peter Gutmann <pgut001 at cs.auckland.ac.nz>:
> Ben Laurie <benl at google.com> writes:
>
>> I think that's a completely unfair accusation - the difficulty has always
>> been the lack of a _usable_ way to _securely_ implement such protocols.
>
> You forgot the rest of the list that gets trotted out:
>
> It won't scale, there's no user demand, there's insufficient industry support,
> I ran out of gas, I had a flat tire, I didn't have enough money for cab fare,
> my tux didn't come back from the cleaners, an old friend came in from out of
> town, someone stole my car, there was an earthquake, a terrible flood,
> locusts!
>
> There have been endless studies done and papers published on how to do
> perfectly usable shared secret-based authentication. Heck, I devote
> significant chunks of my book (draft) to them, I'd be surprised if there were
> less than a hundred references to published work on how to do it.
>
>> And it has to be secure - which includes "not allow credential theft _even by
>> the site operator_".
>
> Oh, that's a new one: Set a requirement that can't possibly be met (except
> perhaps through the use of magic) and then claim you can't meet that
> requirement, therefore it's not worth doing.
>
> Looking past all the excuses, there is one, and only one, reason why no
> browser supports proper shared secret-based mutual auth: The browser vendors
> don't want to do it. Meanwhile they're busy implementing more mission-
> critical stuff like live in-browser video chat via WebRTC, because that's
> functionality that everyone has been crying out for for a web browser.
>
regarding webrtc i'am with you.
in March i posted
#webRTCipleak Firefox browser enables unmasking #VPN by default config; test & fix: http://bitly.com/1pnFEwp
on twitter and bugzilla; Mozillas reaction was NONE
https://bugzilla.mozilla.org/show_bug.cgi?id=959893
i asked for making webRTC an opt-In instead of opt-Out until it's fixed.
reaction: none - because VPN unveil is nothing to look at by the standards.
somehow discouraging
Andreas
> Peter.
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography
More information about the cryptography
mailing list