[Cryptography] The default password of '1234'

[ianG]

On 18/09/2015 15:37 pm, Dave Horsfall wrote:
> But what can we do?  I hang out on an Aussie techie-sort of list, and this
> bod is quite IT-aware.
>
> -- Dave Horsfall DTM (VK2KFU) "Those who don't understand security will
> suffer." I'll support shark-culling when they have been observed walking
> on dry land. ---------- Forwarded message ---------- Subject: More one
> of 'it security' dave. Our hotel has WiFi internet. Pretty normal these
> days. It starts to play up, so for 'giggles' I connect a web browser to
> the default route and get presented with a "Movistar home ADSL" router.
> Can see status but the interesting stuff is of course password
> projected. Some time later (presumably after some one reboots it to make
> the 'net work again), I type into google 'Movistar ADSL password' and
> get the devices manual. The default password of '1234' has not been
> changed...... I'm not sure of not if this is better than the hotel
> gateway I saw last year that was using SSL, but using the device
> manufacturer's default certificate, so every time my laptop or tablet
> connected *I got these large flashing warnings* about certificate
> mismatch. Basically the world at large is training the user population
> at large to ignore security errors and just accept anything......


I've been calling that click-thru syndrome since forever.

The essential point is correct - the web browsing model is broken 
because we taught the users to ignore it.  It can't be remedied.  This 
is why every CA is the same, and there is race to the bottom in CA security.

But no, it can't be fixed, only papered over.  There are these colours 
available at your local wallpaper store:

   * everything has to go HTTPS (yay say the dodgy CAs) or
   * we have to replace the browser security model
    (over our dead bodies, say the CAs, and they've fought
     that battle to prove it with CABForum).

Which is why I started promoting HTTPS Everywhere in 2005.



iang