[cryptography] ssl/tls splicing attack

James A. Donald jamesd at echeque.com
Wed Mar 17 03:43:13 EDT 2010


On 2010-03-17 2:34 PM, Chris Palmer wrote:
 > The cryptography is far from the most important problem facing us.

The architecture *is* part of the cryptography, and it always has
been.

 > Perhaps we should all stop debating here and join one of the
 > usability mailing lists and get jobs with browser vendors...

Usability mailing lists are full of morons, because any idiot thinks
he understands usability, whereas most idiots realize they do not
understand cryptography.   They are also full of marketroids, who are
worse than idiots, because idiots speak what they think it the truth.
Further, the browser vendors well not hire us because cryptography is
a market for silver bullets, where neither purchasers nor vendors know
if what is being sold any good.  If any of us were consulted on wifi,
would we have allowed an offline dictionary attack?  Wifi have had
three tries, or four, depending on how you count, and still have not
got wifi right, though most of us could have done it right easily.

Further, the present architecture of browser security
(cryptographically ensuring the validity of the displayed globally
unique true name) is locked in by the income model of everyone
involved (being paid to manage globally unique names)  Https is pretty
much working except for the major flaw that globally unique true names
overwhelm the human capacity to make distinctions.

Given that flaw, the present browser user interface is about as good
as it can get.




More information about the cryptography mailing list