On 7/1/09 04:25, Daniel Veditz wrote:
Ian G wrote:
"SSL protects data in transit but the problem isn't eavesdropping on the
transmission. Someone can steal the credit card on some server
somewhere. The real risk is data in storage. SSL protects against the
wrong problem," he said.
That's like saying "No, no, mugging isn't a problem--the real money is
in bank heists." You can't ignore one problem or the other.
In effect you can. Like most businesses, security is done according to
economics. First you learn the business model. Then you identify all
the threats, then you validate them, then you match it to a security
model that best covers them. The security model that covers the most
value in threats for the lowest money wins.
As all security models will leave off certain things, they are all
compromises at some level.
"The paper is not a surprise, but at the same time it's the crispest
demonstration for why it's necessary to remove this broken algorithm
everywhere it is being used," he said, before adding "there are bigger
things to worry about, like browser bugs and operating security bugs."
Absolutely. Let's plan to phase out support for MD5 and move on to
bigger issues.
Yeah, that should have been decided and announced last year :)
iang
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
