> On Oct 6, 2015, at 10:52 AM, Rich Pieri <[email protected]> wrote: > > The problem isn't encryption or lack thereof. The problem is that the way we > handle authentication is fundamentally broken. Centralized authentication is > literally an all eggs in one basket deal. Steal the basket and you get all > the eggs.
You are describing one specific approach, not all authentication systems have the problem you outline. > The problem is compounded by a bass-ackwards verification system. X.509 was > designed for identifying individual users to a group of services -- that is, > many users to a few centralized services. SSL and TLS do it backwards, > identifying a few centralized services to many users. It requires blind trust > that a few centralized authorities have not been compromise, have not had > their baskets of eggs stolen from them. > > The problem is further compounded by the belief that encrypting everything > will save the world and make everything better. It won't. Encrypting a broken > authentication system and a bass-ackwards verification system will not make > them any less broken and bass-ackwards. It may not make everything better - but you will can cut down on the MiTM and increase the noise. Increasing the noise will go along way to make an adversaries job more difficult. Anthony _______________________________________________ Discuss mailing list [email protected] http://lists.blu.org/mailman/listinfo/discuss
