[Cryptography] Toxic Combination

Andreas Briese ab at bri-c.de
Thu Dec 4 04:59:48 EST 2014

Am 04.12.2014 um 08:21 schrieb Peter Gutmann <pgut001 at cs.auckland.ac.nz>:

> Ben Laurie <benl at google.com> writes:
>> I think that's a completely unfair accusation - the difficulty has always
>> been the lack of a _usable_ way to _securely_ implement such protocols.
> You forgot the rest of the list that gets trotted out:
> It won't scale, there's no user demand, there's insufficient industry support, 
> I ran out of gas, I had a flat tire, I didn't have enough money for cab fare, 
> my tux didn't come back from the cleaners, an old friend came in from out of 
> town, someone stole my car, there was an earthquake, a terrible flood, 
> locusts!
> There have been endless studies done and papers published on how to do
> perfectly usable shared secret-based authentication.  Heck, I devote
> significant chunks of my book (draft) to them, I'd be surprised if there were
> less than a hundred references to published work on how to do it.
>> And it has to be secure - which includes "not allow credential theft _even by
>> the site operator_".
> Oh, that's a new one: Set a requirement that can't possibly be met (except
> perhaps through the use of magic) and then claim you can't meet that
> requirement, therefore it's not worth doing.
> Looking past all the excuses, there is one, and only one, reason why no
> browser supports proper shared secret-based mutual auth: The browser vendors
> don't want to do it.  Meanwhile they're busy implementing more mission-
> critical stuff like live in-browser video chat via WebRTC, because that's
> functionality that everyone has been crying out for for a web browser.

regarding webrtc i'am with you.

in March i posted 

#webRTCipleak Firefox browser enables unmasking #VPN by default config; test & fix: http://bitly.com/1pnFEwp

on twitter and bugzilla;  Mozillas reaction was NONE


i asked for making webRTC an opt-In instead of opt-Out until it's fixed. 

reaction: none - because VPN unveil is nothing to look at by the standards.

somehow discouraging 


> Peter.
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography

More information about the cryptography mailing list