[Cryptography] Paranoia for a Monday Morning
bear at sonic.net
Mon Oct 27 16:44:20 EDT 2014
On Mon, 2014-10-27 at 07:35 -0400, Jerry Leichter wrote:
> As I look at the world around me, however, I see few proven attacks
> against fielded cryptographic implementations - but an ever-flowing
> stream of attacks against another class of standardized software. I'm
> talking, of course, about browsers.
> And that, of course, raises the question: Accident, or enemy action?
Tempting as it is to look around for someone to blame, I think this
is simply a result of the browser wars of the '90s.
At that time leading browser manufacturers were deliberately
introducing features incompatible with other browsers, implementing
features introduced by other browsers in ways that were deliberately
incompatible or subtly different ("extended!"), creating HTML
authoring tools that deliberately caused other vendors' browsers
to stumble over the differences, and scrambling to play catch-up
with each other which meant that the differences and incompatibilities
multiplied with every new version.
This festering swamp is the environment that the current browser
"standards" you're talking about grew out of.
It is no remarkable thing that they are horrendously complex,
inconsistent, and filled with labyrinthine masses of exceptions.
More information about the cryptography