[Cryptography] Long-term security (was Re: ratcheting DH strengths over time)
Ray Dillinger
bear at sonic.net
Tue Nov 17 20:38:45 EST 2015
On 11/17/2015 05:52 AM, Perry E. Metzger wrote:
> Fully automated patching seems like the only solution there (at least
> by default unless you configure it not to), but given the price
> pressures and the lack of consumer demand, it seems unlikely that the
> average vendor will do that.
The real problem is that people want to build all this stuff
without a self-destruct timer. Things that don't wear out, get
folded into infrastructure and forgotten rather than becoming
a routine part of infrastructure maintenance.
All of these IoT devices need dead-man switches to assure that
their software does in fact get updated occasionally as the
security issues get worked out.
If you want an automatic update, that's a fine way to prevent
an expiry from happening in the usual case. But not an excuse
to build a device with no expiry, because automatic updates
can be prevented by accident (firewall configuration by someone
who didn't think of it) or on purpose (Site Policy says no new
software enters the Tempest secured area, period, without an
audit trail, a purchase order, a signed authorization from our
security department, the signature of a company representative
on behalf of the software provider, a receipt that we can use to
establish the provider's culpability in case of malfeasance or
criminal negligence, etc....).
I for one wish that a particular crappy "wireless J" router had
just plain stopped working three years after it was purchased,
prompting me to update its software or buy a new one, instead of
continuing to present vulnerabilities. But it never called attention
to itself, and I didn't notice it until doing an audit.
Let IoT devices, and routers, and switches, etc, come with
expiration dates molded into plates in the cases in large, deep
letters that can't be filed off or altered while leaving the
cases at all intact, and countdown timers with nonvolatile
registers inside that will flatly shut them down on that date
unless the software has been updated before then.
Manufacturers could "refresh" the devices for a nominal fee or for
free, fitting new expiry plates right along with the new software,
or count them toward "exchange" for new devices and resell them
refurbished. People who don't care about keeping the "expiry
plates" current, or who don't want the turnaround time, can be
allowed to just download the patches and install them themselves.
But the important thing is that the devices oughtn't continue
to work indefinitely unless somebody *does* install new software.
Bear
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20151117/e242ac04/attachment.sig>
More information about the cryptography
mailing list