By the way, there's an interesting new study https://www.ieee-security.org/TC/SP2017/papers/84.pdf
that claims that many people believe communications security is "futile" because of inaccurate mental models of cryptography, and strongly endorse security through obscurity. I've been thinking a lot about these results (it's worth reading the paper) and one way that I've been trying to conceive of it is that the research showed that many participants thought that the developer of a security technology must, inherently, always know how to crack or defeat that technology. This might be true at a technical level if encryption always worked like a substitution cipher, where there is no secret key but knowledge of the details of the cipher is equivalent to knowing how to crack it, or if public key cryptography didn't exist, so that many-to-many communications required trusted authorities to distribute key material. Participants in that study did not tend to feel that encryption software ought to be open source because they seemed to believe that the developer of a security tool inherently, so to speak, knows the code and can always use that knowledge to break users' security. In this model other motivated attackers will gradually also learn the secret knowledge that they need to break the system, but disclosing technical details of how it works would be an especially bad idea because it would greatly speed up the process for the attackers. (Then security through obscurity is understood to be the only possible form of security.) The study suggests that an important challenge for developers of security systems may be finding a way to communicate how security need not depend on obscurity, and also need not depend on trusting inventors of security systems to keep secrets. -- Seth Schoen <sch...@eff.org> Senior Staff Technologist https://www.eff.org/ Electronic Frontier Foundation https://www.eff.org/join 815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x107 -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk