Ian G wrote: > Frank Hecker wrote: > > Nelson B wrote:
> > (Note to Ian: Whether 40-bit encryption actually posed a real security > > risk or not is IMO irrelevant to the banks' decision making. Arguably > > not allowing use of 40-bit for online banking was irrational in some > > sense, but I believe that in real-world security decisions irrationality > > can't be removed from the equation, no more than it can in real-world > > economic decisions -- e.g., behavioral economics -- and has to be > > accounted for in any analysis.) > > > Let me add disagree mildly here: Banks make security decisions > according to rational processes. The problem is that those > processes are not based on security, so to the outside observer > they look irrational because they speak of security! If phishing continues to gain in popularity I wouldn't be overly surprised if we see banks start to require use of currently patched OSes and browsers that make it harder to trick the user. This of course assumes there is significant difference between the options a user has which I expect will be the case with-in a few years time. > One of those processes > is an excessive sensitivity to criticism on security, which > relates to them as regulated players, and as listed players. > Both these forces push banks in the direction of doing > "everything they can" to secure their processes. Which > means that given the choice between 40-bit and 128-bit, it > would be very very unlikely that banks would choose 40-bit > knowingly. > > Note that "cricitism to security" is not the same thing as > security. Both fair points. _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
