[Cryptography] Other obvious issues being ignored?

dan at geer.org dan at geer.org
Sat Oct 24 08:09:50 EDT 2015


 > ...snip...
 >
 > 1.  You're saying out loud what's obvious but unacknowledged:
 > The base of your trust is not in any CA, it's in your browser's
 > code.  Whether open source or closed, browsers are way to complex
 > and change way too often to be effectively audited by any outside
 > team.  All the cryptography in the world can't protect you from
 > attack code within your browser itself.
 >
 > ...snip...

So, let me suggest that audit is headed for a brick wall.  I don't
like that, but it seems so.  The reason, as you say, is a side
effect of complexity that leads to obscurity.  But obscurity is
the malware writer's central technique and, arguably, stealing our
opponents' techniques is fair if not brilliant.  See, in other
words, DARPA's in-progress work looking at obfuscation -- original
announcement here:

https://www.fbo.gov/index?s=opportunity&mode=form&id=a303af332a90b1e84fdb91d7dd382396&tab=core&_cview=0

which leads me to ask the general question, what does one do when
something you might soon depend upon can simply never be analyzed?

This may be on the wrong list for this discussion,

--dan



More information about the cryptography mailing list