[Cryptography] It's GnuTLS's turn: "Critical new bug in crypto library leaves Linux, apps open to drive-by attacks"
John Ioannidis
ji at tla.org
Tue Jun 3 16:29:16 EDT 2014
On Tue, Jun 3, 2014 at 1:57 PM, Jerry Leichter <leichter at lrw.com> wrote:
> ...
>
> But that's all just whistling into a hurricane. The economics say "use
> the free code, ship first and worry about security later" - the long,
> all-too-familiar list of reasons not to do the right thing.
>
>
Show me *one* company that does the right thing, security-wise, and is
profitable.
It took a major attack (allegedly) by the Chinese for Google to start
taking security seriously. It took them a major attack from the NSA to
finally turn on mandatory encryption in internal RPCs.
It makes sense in another perverse sort of way: so long as users are
susceptible to social engineering (the world's oldest profession), there
will always be far easier ways for criminals to victimize users than to
break the crypto. So why bother fixing the crypto? It's not the most
pressing problem.
Frankly, I'd rather see big companies spend resources on how to train
their users NOT to believe scammers (they seem to be doing the opposite by
telling you to turn off various security features so you can install their
applications) than fixing bugs in openssl or gnutls. Google does this with
cert-pinning in Chrome, and warnings on suspicious email messages, but
that's a drop in the security bucket.
/ji
PS: I'm scrupulously avoiding having anything to do with security in my
current job, so don't ask me how Twitter does in that respect :)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140603/91bb5245/attachment.html>
More information about the cryptography
mailing list