On Mon, Aug 13, 2012 at 12:38 PM, Fabio Pietrosanti (naif) <li...@infosecurity.ch> wrote: > The average user (a very stupid, dumb user but with very strong political > commitment in freedom fighting) will always trust the website / operator. > > We CANNOT FIX that problem in any technical/cryptographic way. > > That kind of user will do whatever the "server operator"/"website" will > tell/ask him to do.
This actually can be solved, at least largely— not in the short term, but with hard work and education. The primary problem right now is that there is basically no option except single party trust for anything except the most sophisticated users. But it doesn't have to be this way. For example, it wouldn't be hard to educate people to only install software on their secure systems via a downloading tool that verifies (cryptographically) that the software which is being installed has been independently peer reviewed by multiple parties and is free of trusted reviewers asserting that the software is unsafe. The authenticity and independence of the signing parties can be validated by the software— the user only needs to provide keys from some people he knows to bootstrap the process. It wouldn't be hard— except the tools don't exist and there are a number of practical challenges that need to be solved, and interesting tradeoffs that need to be made. (In particular, updates can't be deployed very rapidly in such a model, so we need to greatly increase the basic reliablity and security of the software before reviewed distribution can really work). Of course, the participant in needs a honest introduction in the first place— people could deny them knowledge of the existence of this secure software ecosystem entirely. But compromising a user at an obviously (to the user) important one time event is much harder than compromising them at any of hundreds of monthly technological impediment events. _______________________________________________ liberationtech mailing list liberationtech@lists.stanford.edu Should you need to change your subscription options, please go to: https://mailman.stanford.edu/mailman/listinfo/liberationtech If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?" You will need the user name and password you receive from the list moderator in monthly reminders. You may ask for a reminder here: https://mailman.stanford.edu/mailman/listinfo/liberationtech Should you need immediate assistance, please contact the list moderator. Please don't forget to follow us on http://twitter.com/#!/Liberationtech