On Thu, May 13, 2010 at 7:34 PM, James Hill
<[email protected]> wrote:
> If our governments can intercept/inspect encrypted traffic
> (which I'm told they can) then other less trustworthy people
> ... can as well.
The encryption used in well-known open standard systems (such as SSL
and IPsec) is believed to be proof against all publicly known attacks.
Now, the NSA (or the Chinese intelligence agencies) may have
techniques not in the public domain, but I think it very unlikely that
less rarefied organizations ("other less trustworthy people") would.
And even if some government has special techniques, it's likely they
still consume resources. Such resources may be constrained. Thus, if
you encrypt, you may still be protected.
In short: If you encrypt, chances are good you are protected. if
you're operating in the clear, you're guaranteed to be exposed.
> Once data leaves your physical premises it really is in the hands of whoever
> has
> access to the various paths along the way to its destination.
Which is *precisely* why I insist on using crypto. Then it's back
in my hands.
> I don't think cleartext Telnet and email are a fair comparison. Those things
> were never advertised as secure.
Fair point. Many still didn't think it was worth worrying about, though.
> I'm talking about using a network that is supposed to be private/secure
> provided by a company that we are paying for this service. If we have to
> run vpn over the top of it then the provider isn't providing what you are
> paying for.
Again: All it takes is one employee at the carrier who has been
bribed, or has a grudge, etc. Or maybe someone at the carrier just
screws up and puts your connection on the same as someone else's
worm-infected network. Or maybe the carrier's network itself is
compromised. There have been countless high-profile news events about
third-party providers screwing the pooch that I don't consider this to
be fiction, or even theoretical speculation -- rather, I consider it
quite possible.
You say you would not getting what you paid for, and you'd be right.
So maybe that means you're entitled to getting your money back. Your
security is still compromised. And that's assuming you ever learn
about the compromise.
Risk management is always a case-by-case decision. Me, I'd rather
be sure. Especially when good crypto tunnel implementations are
basically free these days.
-- Ben
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
