[Cryptography] "we need to protect [our dox] by at least encrypting them"
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Tue Nov 8 05:10:07 EST 2016
ianG <iang at iang.org> writes:
>Here's a new data point from Wired - how long did it take the browser
>manufacturers to respond to the bleedingly obvious failed GUI of the padlock?
>20 years.
>https://www.wired.com/2016/11/googles-chrome-hackers-flip-webs-security-model/
>
>That article is the Good, the Bad and the Ugly of security thinking. Count
>the years - SSL and secure browsing invented in 1994, and the GUI was screwed
>by Netscape 1.0. Now, in 2014, a browser manufacturer starts to seriously
>think about how to present the user a message.
But look at what they're doing, it's what some guy called Grigg once described
as "more of what we already know doesn't work". So they're going to warn even
harder that you're not using a CA-supplied cert, because if there's one thing
that 20 years of experience with insecurity has told us, it's that that's all
you need to make web browsing secure.
Note that the article doesn't say they're actually going to take any measures
to improve security, just following the old "anything HTTP is unsafe, anything
HTTPS is safe" that hasn't done anything to stop phishing, malware, or any of
the other fun stuff on the web.
So I'd say it's mostly the Ugly of security thinking. It shows that after 20
years of failure to make progress, nothing has changed. Prognosis: 20 more
years of the same.
Peter.
More information about the cryptography
mailing list