[Cryptography] cost/benefit ratios was Re: New SSL/TLS certs to each live no longer than 47 days by 2029
Peter Fairbrother
peter at tsto.co.uk
Thu Apr 24 18:09:29 EDT 2025
On 23/04/2025 02:16, Theodore Ts'o wrote:
[...]No defense is 100% effective. A defense
> is effective if it increases the effort required by the attacker such
> that the cost/benefit ratio means that carrying out that attack is no
> longer cost effective.
I think it's a little more complicated than that. You are, I assume,
talking about the cost to the attacker - but what about the cost to the
defender of a successful attack? These costs are unlikely be equal.
Also, the attacker will in many cases not know the actual benefit to
him, and may assess whether to mount an attack on an incorrect estimate.
And also also, who said attackers were all logical? Or cared about
cost-effectiveness?
"Never underestimate the attention, risk, money, and time that an
opponent will put into reading traffic" - Robert Morris, former Chief
Scientist NCSC NSA
Peter Fairbrother
More information about the cryptography
mailing list