[Cryptography] Confidentiality and IoT (was: Old Let's Encrypt's Root Certificate expires...)

Dennis E. Hamilton dennis.hamilton at acm.org
Sat Oct 2 11:33:30 EDT 2021

-----Original Message-----
From: cryptography Jeremy Stanley
Sent: Friday, October 1, 2021 15:00
To: cryptography at metzdowd.com

>On 2021-10-01 14:22:01 -0400 (-0400), Phillip Hallam-Baker wrote:
 >> If all you want is confidentiality, unauthenticated ephemeral key
 >> exchange is sufficient to defeat passive attack which is more than
 >> sufficient to control my conversations with my house thermostats, etc.

 >Veering even farther off-topic, I don't really think confidentiality is
the problem with where IoT is going.

 [ ... ]

>People are concerned with the notion of criminals getting access to
poorly-secured IoT devices, but the joke's on them. The real criminals were
>baked in before those devices ever shipped.

Yes, and with regard to prescribed healthcare devices, it is concerning how
these phone home, are now blue-toothed to phone apps, and are somehow
controllable remotely as well as monitored.  I may trust my sleep therapist,
but have not such confidence in the intermediaries and knowing who all of
them are and the dependability of their protections of data about me.  My
fitness band doesn't even have HIPAA assurance.

I'm also distressed by how health providers and some insurers are captivated
by snake-oil (bespoke) chart systems that exhibit serious faux privacy
safeguards to their patients/subscribers.  That a surgeon trusts the office
manager to have proper secure access to charts is not any reassurance for
me, who sees blatant sign-in bypasses.

Le sigh, expecting things to get worse before forced to get better.

 - Dennis

More information about the cryptography mailing list