[cap-talk] use of hashcodes?
Bill Frantz
frantz at pwpconsult.com
Fri Feb 19 20:18:46 PST 2010
kenton at google.com (Kenton Varda) on Friday, February 19, 2010 wrote:
>“Using encryption on the Internet is the equivalent of arranging an armored
>car to deliver credit card information from someone living in a cardboard
>box to someone living on a park bench.”
>– Gene Spafford Ph.D.
>Professor of Computer Sciences, Purdue University
While I agree with Prof. Spafford's analogy, I don't think it should be
used as an excuse to avoid using good security in all the other areas of
computer systems.
Attackers will always attack at the weakest link. Nowadays these weakest
links are found in the operating systems and browsers in common use and in
network protocols such as DNS. DNS hacking is probably the easiest way to
mount a man-in-the-middle (MITM) attack, although it is far from the only
way. Using TLS avoids the MITM because the end points authenticate each
other using cryptography. (I agree that there are weaknesses in the PKI
approach commonly used by DNS. There are ways around these weaknesses.)
Already using cryptography for end-to-end authentication has improved our
security, even if we don't use it for privacy, by preventing the attacker
from acting as a MITM.
As a result, attackers most often target the end-point machines via attacks
on software weaknesses and user weaknesses via spear fishing (among many
others). Even given the serious architectural weaknesses in current
systems, such as running every program with the user's full authority, the
security on these systems continues to get better. It has been as long as
since November when I last saw a recommendation to turn Javascript off in
the browser from a main-stream security group. That recommendation used to
be a weekly occurrence.
As these end-point systems get better, and adopt approaches such as
Polaris[1], the attacker's job will get harder. If we continue to use
cryptography, perhaps we will be luck enough that our networking code and
protocols will not become the low hanging fruit. If we don't use
cryptography, we surely will see networking as a major attack vector.
Cheers - Bill
[1] <http://en.wikipedia.org/wiki/HP_Polaris_(computer_security)>
-------------------------------------------------------------------------
Bill Frantz | Airline peanut bag: "Produced | Periwinkle
(408)356-8506 | in a facility that processes | 16345 Englewood Ave
www.pwpconsult.com | peanuts and other nuts." - Duh | Los Gatos, CA 95032
More information about the cap-talk
mailing list