On 01/13/2010 01:45 AM, Anders Arnholm wrote: > On Tue, Jan 12, 2010 at 04:55:10PM -0800, John Ward wrote: > >> account in the first place, another similar layer. If a grid operator >> wants a little better protection by checking the string the client >> identifies itself with would seem a reasonable additional layer. > > The grid operator may give any stupid ideas to the user, but i would not > call it security. Like there is no security in making a web-site that > only works in IE. If the operator calls this a security thing, it's > obvius that person don't know squat about security or is lieing. Either > case lowers the trust for the operator to me.
If one takes a step that thwarts an attack, has security been improved? I say it has. Does thwarting an attack make a system secure? Not necessarily. If you have stupidly written a web site that only securely works with one browser should you try to restrict access to your web site to that one browser? >> So, is the system secure? If one's goal was to prevent casual >> non-compliance then it probably is reasonably secure. If one wants to >> prevent anyone from ever running a bad client on their grid then one's >> grid is not secure. >> >> "Security through obscurity" is quite valid. That's why we (hopefully) >> choose obscure passwords. If one understands what the obsfucation gets >> them then is just another layer. > > A good random passphase is not security by obsurity. If a password is not obscured it's not effective. If I can guess it or figure it out it's not secure. The very point of a password is for others not to know it. The more obscure it is to others the more secure it is. The security relies on this very obscurity. > It's a part of authentication of the user. > In security reserach one have identified > three elemetrs thet is needed for an authenitcation of a person. > "ownership", "knowledge" and "inherence". The passphase is the > "knowledge" part, the harder something is to know the better thius leg > of authentication. For example we couls say it you in phone can state > when year you are born, I think you are you. This knowledge is quite > easy for someone else to figure out so this leg is quite easy to break. > By makeing the knowledge some kind of long obsure string I made up my > self. It's much harder for someone else to figure this out and the trust > is me is me gets better, Still is just the knowledge element. To make a > good authentication one need atleast two elements. verifying the two > other elements of authenitcation over the internet is almost impossible > even if some atemts have been done. > > The passphase only lets you to some extent be sure of the person in the > other end is the person he or she clames to be. It have nothing with > securing what he or she can do. Determining who can do what is often called authorization. >> I think having lots of easy to setup and use layers is a good thing even >> when some of them are easily defeated. :-) > > The big risk is that no security chain is stronger that it's weakest > link. And having a loot of staong links in one part makes the user feel > secure. Feeling secure whan one isn't could be fatal. I think of security in terms of layers not chains. If one technique is subject to spoofing or man-in-the-middle attack I may need to add other layers. I don't necessarily stop using those techniques because they don't. John. _______________________________________________ Opensim-users mailing list [email protected] https://lists.berlios.de/mailman/listinfo/opensim-users
