[Cryptography] ISPs caught in STARTTLS downgrade attacks

Watson Ladd watsonbladd at gmail.com
Sun Nov 16 12:58:55 EST 2014

On Nov 14, 2014 2:59 PM, "John Gilmore" <gnu at toad.com> wrote:
> > Seriously, the crypto community has too many cry babies and not enough
> > implementors. I'd be happy if someone designs and implements something
> > that's better. Please obsolete me.
> "Cypherpunks write code" was an inspiring principle from the '90s.  It
> caused a lot of people to go the one step further than just learning,
> teaching, and criticizing about crypto (which are still valuable).

I think you seriously underestimate the value of specialization, and
the degree to which this specialization exists in cryptography. There
is no reason the cryptocat author couldn't have sat down with someone
who knows cryptography at the start, and avoided massive bugs. I'm not
a usability expert, I'm merely okay at programming, and I have no idea
about the pathologies of massive operations. Even in cryptography, I'm
not an expert on cryptographic protocols: I can read much of the
research, and can design protocols accordingly, but nothing
groundbreaking. I'm entirely ignorant of cryptanalysis: I know what's
out there and that's it.

DJB is the rare exception: an expert in secure C coding (don't code in
C: it's not worth it) and in high-performance cryptography. But if you
look at his research you will see that cryptographic protocols are not
his forte: he's not the person you should ask about replacing TLS.
Hugo Krawczyk has a number of publications in the world of protocol
design, but few in implementations. Neither of them is Lars Knudsen,
who did a lot of cryptanalysis research, but very little in either
implementation or protocol design.

I haven't even touched usability, the 800-pound elephant in the room
and the reason why Johnny Can't Encrypt. The set of people who are
good enough at cryptography, secure coding, and usability to do
interesting things is small, possibly empty. That's what collaboration
is for. But the first part is telling people "no, you don't know
everything: have me handle the part I'm good at and you the part
you're good at".

DANE here might not be so bad: the alternative is no authentication
whatsoever. But some of the other suggested uses actually are steps
backwards, like proposed uses in TLS 1.3 Paul Wouters hasn't seriously
analyzed the runtime of batch NFS as far as I can tell: this 30 day
rotation is based on an analysis ignoring standard speedups.

The result of "cypherpunks write code" is similar to the "real men
drill holes" philosophy. It doesn't matter how much code you write, or
how many holes you drill if it doesn't solve the problem. It just gets
in the way. If people can't use PGP, it doesn't matter how good the
design is: it doesn't work. If RSA-1024 can be broken by custom
hardware, it doesn't matter how unusable DNSSEC is: the whole thing is

Watson Ladd
>         John

More information about the cryptography mailing list