[Cryptography] Paranoia for a Monday Morning

Bear bear at sonic.net
Mon Oct 27 16:44:20 EDT 2014

On Mon, 2014-10-27 at 07:35 -0400, Jerry Leichter wrote:

> As I look at the world around me, however, I see few proven attacks
> against fielded cryptographic implementations - but an ever-flowing
> stream of attacks against another class of standardized software.  I'm
> talking, of course, about browsers.  
> And that, of course, raises the question:  Accident, or enemy action?

Tempting as it is to look around for someone to blame, I think this 
is simply a result of the browser wars of the '90s.  

At that time leading browser manufacturers were deliberately
introducing features incompatible with other browsers, implementing
features introduced by other browsers in ways that were deliberately
incompatible or subtly different ("extended!"), creating HTML 
authoring tools that deliberately caused other vendors' browsers 
to stumble over the differences, and scrambling to play catch-up 
with each other which meant that the differences and incompatibilities
multiplied with every new version.  

This festering swamp is the environment that the current browser
"standards" you're talking about grew out of.

It is no remarkable thing that they are horrendously complex,
inconsistent, and filled with labyrinthine masses of exceptions.  


More information about the cryptography mailing list