"Steven M. Bellovin" wrote: > Please don't take this personally...
None taken here, and I doubt that the author of the tool (who has just joined this list it seems) would take any! > >From a security point of view, why should anyone download any plug-in > from an unknown party? In this very specific case, why should someone > download a a plug-in that by its own description is playing around in > the crypto arena. How do we know it's not going to steal keys? Is the > Mozilla API strong enough that it can't possibly do that? Is it > implemented well enough that we trust it? (I see that in this case, > the guts of the plug-in are in Javascript. Given how often Javascript > has played a starring role in assorted security flaws, that doesn't > reassure me. But I do appreciate open source.) It's an issue. I think the answer requires the same analysis as always: someone would download this plug-in if the result were likely more security in the overall browsing experience. So, the question then arises, could this plug-in give more security than the exposure to an untrustworthy party warrants? On the one hand, the plug-in isn't likely to be terribly effective, as is fairly obvious, as has been pointed out. OTOH, one might be downloading a trojan. Well, that's possible. Is it likely? I don't think so, and here's why: If this were an attack, it would be unlikely to be effective. There is a known site (albeit with a masked identity) with a webpage, etc. So there are tracks, and angry emails to the owner of the site will incur a cost for the attacker. Few people use keys, making this an obscure approach. I suppose if the target really *was* keys, then the challenge would be to target those key users ... against which, the users of keys are likely to be more security conscious than other victims. If the person was indeed a crook, why would he use open source? And, even though Javascript may have a poor security record, that's to do with bugs in its model and code efforts and potential security breachs, not with crooks acutally inserting code to steal value. I.e., theoretical breaches of security, not actual breaches of security. Also, to impune the plug-in arrangement is to impune all plug-ins, and to impune the download from an unknown is to impune all downloads from unknowns. What is the risk of downloads being trojaned, and the risk of plug-ins being aggressive? These are unknowable risks, a priori, so we have to resort to statistics and cost-benefit to work out the probability. And here, statistics is on our side. In practice, an attack is rarely initiated via a download, or via a plug-in. I.e., "download this fantastic tool" which just so annoyingly includes a trojan from the person who manages the site doesn't seem to occur as a real attack with any frequency. (Partly because it takes a long time to find the right victim, and partly because it leaves the attacker static and vulnerable, I'm guessing. In comparison, it seems that attackers get much better results by using targetted mass mailings tools to deliver their EMD.) So on balance, I won't download the tool, because its effectiveness is low. But so is its risk. Other people might come to other conclusions, but I personally don't buy the argument that just because I don't know the site, it shouldn't be touched. Life is full of risks. Only by taking risks do we understand what works and what doesn't. Real-life security is like that, as in practice, we know that not all can be covered in security, as it is simply too expensive to be 100% safe. So we have to take some risks in some areas. EMD - emails of mass destruction? -- iang --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
