Jeremy Blosser wrote: > > Neither of these are necessarily true. HTTPS is a good example. Most > ebay and amazon users have no idea of any of the technical issues > involved with using SSL, but because they use it anyway, their > communication is more secure than it would be without it. And because > they use it, it is easily available to those of us that do understand > it.
sure, but it induces a false sense of confidence. i work at a webhost, so i see lots of people who have a secure cert and still engage in questionable security practices (having credit card numbers emailed to them unencrypted, unsafe file permissions, etc).... people with a low degree of technical sophistication will be happy when they see that little yellow lock in their browser; this is more misleading than if there was no encryption at all. the same is true of s/mime to an extent. first of all, it wouldn't be terribly difficult to fool someone with some sort of social engineering trick that makes a message appear to be encrypted / signed when it really isn't. this would induce a false sense of confidence. secondly, amazon and ebay receive a lot of scrutiny; however mr. or ms. john/jane q. public doesn't probably have great security on their home windows box. what happens when their passphrase keystrokes are logged and their private key is stolen? before they notice (IF they notice) someone could forge their identity. of course both of these are true for PGP, but by the time you learn how to use PGP, you've (hopefully) acquired a healthy degree of paranoia, and an understanding of the issues involved. so the issue here is trust. we don't trust amazon.com just because they have a SSL cert, but because of their size and the scrutiny they're probably subjected to. > There is certainly a point where misunderstanding or failing to > understand what's going on will put you at more risk than not using > any encryption at all, but that point is not reached by casual use of > things like HTTPS or S/MIME. i respectfully disagree. > The difficulty of PGP is what's kept it from being publically accepted > as a normal thing to do, and that in turn has made it so those that DO > use it are limited to a few tech-savvy subsets and real > revolutionaries, both of which are easily identifiable with simple > traffic analysis. so let's make it easier. i think, again, that the main issue is that most people don't care enough to put the effort into it. if people start using S/MIME more, obviously i'll be happy. mike claims that someone using IE or nutscrape will by default be able to send you an encrypted message easily, and this is a good thing (if it's really that easy). personally i don't know anyone who uses S/MIME, though, and i know a number of people who use PGP (although obviously in a certain section of the population). i think that the issues which hurt adoption of either one have a lot in common. i'm worried that all of this is simply going to cause yet more fragmentation in an area that already has a lot of fragmentation. w