On 17/09/11 17:56, lodewijk andré de la porte wrote: > ...therefore assumes others assume SSL to be broken by design...
SSL is not "broken by design"! SSL was designed to protect relatively low-value retail commerce, and it still does that job reasonably well. What failed were our mechanisms to ensure that system usage regime does not exceed it's design parameters. If I can be flippant, SSL was a pedestrian bridge which ended up used to drive 18-wheelers across it. What failed was the total absence of an equivalent of a notice in big red letters somewhere on the access ramp: "this structure is not capable of carrying heavy vehicles. If you use it to do so, it will collapse and you will get hurt or killed". There once was a rich, well organized industry fighting such move, (think CA's :), but we finally got those "Smoking Kills" notices on cigarette boxes. And the reasons we are not, at least as a stop-gap measure, putting up such notices on browsers (i.e., the package) right now (as the evidence of the danger of the product misuse is emerging not only among the experts but among the general public as well) is twofold: the industry lobby, helped immensely by that most misguided computer security doctrine: "the user is an uneducated moron and must be treated accordingly". Mark R. _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
