"Steven M. Bellovin" wrote:

> Please don't take this personally...

None taken here, and I doubt that the author
of the tool (who has just joined this list
it seems) would take any!

> >From a security point of view, why should anyone download any plug-in
> from an unknown party?  In this very specific case, why should someone
> download a a plug-in that by its own description is playing around in
> the crypto arena.  How do we know it's not going to steal keys?  Is the
> Mozilla API strong enough that it can't possibly do that?  Is it
> implemented well enough that we trust it?  (I see that in this case,
> the guts of the plug-in are in Javascript.  Given how often Javascript
> has played a starring role in assorted security flaws, that doesn't
> reassure me.  But I do appreciate open source.)

It's an issue.  I think the answer requires the same
analysis as always:  someone would download this
plug-in if the result were likely more security in
the overall browsing experience.

So, the question then arises, could this plug-in
give more security than the exposure to an
untrustworthy party warrants?

On the one hand, the plug-in isn't likely to be
terribly effective, as is fairly obvious, as has
been pointed out.

OTOH, one might be downloading a trojan.  Well,
that's possible.  Is it likely?  I don't think
so, and here's why:

If this were an attack, it would be unlikely to
be effective.  There is a known site (albeit
with a masked identity) with a webpage, etc.
So there are tracks, and angry emails to the
owner of the site will incur a cost for the

Few people use keys, making this an obscure
approach.  I suppose if the target really *was*
keys, then the challenge would be to target
those key users ... against which, the users
of keys are likely to be more security conscious
than other victims.

If the person was indeed a crook, why would he
use open source?  And, even though Javascript
may have a poor security record, that's to do
with bugs in its model and code efforts and
potential security breachs, not with crooks
acutally inserting code to steal value.  I.e.,
theoretical breaches of security, not actual
breaches of security.

Also, to impune the plug-in arrangement is to
impune all plug-ins, and to impune the download
from an unknown is to impune all downloads from
unknowns.  What is the risk of downloads being
trojaned, and the risk of plug-ins being aggressive?

These are unknowable risks, a priori, so we
have to resort to statistics and cost-benefit
to work out the probability.  And here,
statistics is on our side.  In practice, an
attack is rarely initiated via a download,
or via a plug-in.

I.e., "download this fantastic tool" which
just so annoyingly includes a trojan from the
person who manages the site doesn't seem to
occur as a real attack with any frequency.

(Partly because it takes a long time to find
the right victim, and partly because it
leaves the attacker static and vulnerable,
I'm guessing.  In comparison, it seems that
attackers get much better results by using
targetted mass mailings tools to deliver
their EMD.)

So on balance, I won't download the tool,
because its effectiveness is low.  But so
is its risk.  Other people might come to
other conclusions, but I personally don't
buy the argument that just because I don't
know the site, it shouldn't be touched.

Life is full of risks.  Only by taking
risks do we understand what works and what
doesn't.  Real-life security is like that,
as in practice, we know that not all can
be covered in security, as it is simply
too expensive to be 100% safe.  So we have
to take some risks in some areas.

EMD - emails of mass destruction?


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to