On 7/02/13 23:56 PM, Thierry Moreau wrote:
ianG wrote:
[Hushmail design] isn't
perfect but it was a whole lot better than futzing around with OpenPGP
keys and manual decrypting. And it was the latter 'risk' view that
won, Hushmail filled that niche between the hard core pgp community,
and the people who did business and needed an easy tool.
Don't be suspicious, be curious -- this is where security is at.
Human rights reporters already put their life on the line. Your
mission is not to protect their life absolutely,
One design aspect seems missing from the high-level discussion: how do
you define the security mechanism failure mode? You have basically two
options: connect with an insecure protocol, or do not connect at all.
If it's a life-preserving application, this question should be addressed
explicitly. A "fail safe" system may be either way, but stakeholders
should know which way. Airplane pilots are trained according to the
failure mode of each aircraft subsystem. E.g. if two-way radio fails,
the pilot may remain confident (from an indication on the cockpit) that
the air traffic controller (ATC) still sees the aircraft identifier on
the radar (see Wikipedia entry for transponder) during the emergency
landing. Thus the decision to land at the major airport (instead of a
secondary airport with less traffic in conflict but lower grade
facilities) is taken based on the "fail-safe" property of the
aircraft-to-ATC communications subsystem.
A fine puzzle. From those assumptions -- training, indicators,
redundancy -- here's my answer to the question.
In typical Internet user security situations, those things either don't
exist or aren't reliable. Consider users with SSL, padlocks, etc.
Faced with difficulty in ensuring the efficacy of these assumptions,
what does a rational designer do? To my mind, it is this: there is
only one mode, and it is secure. If circumstances are that your packets
(secure, monocular) are not getting thru, then there is no connection.
Another way of looking at this is to ask how the indication is driven?
If it is possible to show a good indication of potential insecurity, why
isn't it possible to fix the problem? In security protocols, we
generally strive to fix everything we can, so that the model is perfect.
Typically, our society is cannibalistic and seizes on any weakness as
a chance to feed. Only a complete security model is any good in our
market. Whilst very annoying at times, it does rather stress that we do
not have a good understanding of how to deliver a "half" service.
my 2c.
iang
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
