[Cryptography] The Trust Problem

Danny Muizebelt dannym at packetloss.at
Wed May 21 10:37:22 EDT 2014


>> What should you demand to be convinced that you can use some software
safely?

First post in the mailing list so don't shoot me for being a noob or
stating the obvious.

The usual reasons for trust have not and will not change. I do not think
that any cloud based software can expect any level of trust.

Personally I would give more trust to software which has its roots in a
"privacy friendly" political setting and where the developer has no
personal interest or ability to generate any income from it. The latter
would promote more compatibility with other developers which support he
same open encryption standards. PGP would be a nice example.

So choice of vendor would lead to more diversity which would increase the
hassle of an attacker to get a complete picture of the data transactions
within the circle of trust.

Unfortunately developers are currently more interested in creating walled
gardens offering pseudo-security and offering a potential hacker a single
attack vector.

I am sure there are others but for me PGP has always been an iconic example
as an encryption standard which is vendor independent and which can create
secure data exchange between a select group of individuals if they did a
proper offline key exchange. The downside is that it is not very practical,
one of the reasons why probably less than 1% of the internet users use PGP.

Last but not least, no matter what encryption tool you use, do you trust
the operating system and other trojans you might have installed? For an
internet connected machine expect that at least some government and/or
Russian hacker (stereo type) has your private data.

-Danny
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140521/9ac83a97/attachment.html>


More information about the cryptography mailing list