[Cryptography] "we need to protect [our dox] by at least encrypting them"

[ianG]

On 07/11/2016 22:41, Florian Weimer wrote:
>> Here's a new data point from Wired - how long did it take the browser
>> manufacturers to respond to the bleedingly obvious failed GUI of the
>> padlock?  20 years.
>> https://www.wired.com/2016/11/googles-chrome-hackers-flip-webs-security-model/
>>
>> That article is the Good, the Bad and the Ugly of security thinking.
>> Count the years - SSL and secure browsing invented in 1994, and the GUI
>> was screwed by Netscape 1.0.  Now, in 2014, a browser manufacturer
>> starts to seriously think about how to present the user a message.
>
> I think you're missing the point.


Well, actually, I'm accepting the point that something "should be done" 
but also I'm making the point that within the year we knew there were 
problems with the model.  And the chickens came home to roost mid 2000s.

And it took to 2014 for one browser manufacturer to think it was broken.


> The message at the time was that
> online transactions could be made reasonably secure, so that the are
> beneficial to the parties involved.  This was and is evidently true.

You can't show that causality.  Until mid 2000s, there was only a vague 
handwavy correlation between "claimed secure" and "unknown threat." 
Which matches at both 1 and 0.

> Back in the 90s, people weren't quite ready to believe that, so some
> smart people added some cryptography nobody quite understood.  That
> gave everyone the confidence they were desperate for.  That the
> cryptography was broken from the start, that the X.509 standard was
> completely at odds with Internet domain names (and still is today, to
> some degree), that the Internet threat model was wrong even back then,
> that the user interface was a mess, all that did not matter.  It
> wasn't about the technical details.


I've heard that story.  I've read that story.  I don't believe it.  I've 
never seen any evidence that an Internet merchant said "I don't have the 
confidence to take a credit card because ..."

It makes zero sense.  At the time, credit cards were being lifted by 
insiders - talk was of waiters taking credit cards and swiping them away 
from the customer.  Yet there were no waitresses on the Internet, *and* 
in both scenarios, the customers were covered and the merchants would 
accept the chargeback.  Fraud was quite high in those days!

What I have heard is, that which drove the web in those early days was 
porn.  And, what the porn operators were afraid of was not theft of CC 
but showing porn to under 18s.  When credit cards were offered, with 
encryption, they were given a two-way pass.  Only over-18 year olds had 
the card, and the encryption stopped the rest.  Bingo!

Of course, within the month they dropped the encryption over the content 
because it was too slow, and just left it for the credit card.  Breaking 
the model.

And, chargebacks on porn were ridiculously high.  Way higher than any 
other threat.  They would have had to advertised credit cards on 
billboards to even move the needle on actual theft of credit cards over 
the wire.

I'm quite happy to be shown some evidence and shown to be wrong.  I'm 
quite happy to believe that the sellers of encryption convinced the 
buyers of encryption they didn't have the confidence.

But merchants?  For a start they didn't exist as a movement, and for 
next, they were all arbitrage operators and 'confidence' was the least 
of their worries.  It all sounds so surreal.

iang