[cryptography] philosophical question about strengths and attacks at impossible levels

Marsh Ray marsh at extendedsubset.com
Sat Nov 20 16:37:57 EST 2010


On 11/19/2010 05:39 PM, Ian G wrote:
> On 20/11/10 6:26 AM, travis+ml-rbcryptography at subspacefield.org wrote:
>>
>> Does the fact that parts of Stuxnet was signed by two valid certs
>> count as a cryptographic failure?
>
>
> Short answer: no.
>
> Medium answer: if you look at the so-called Internet Threat Model [1] on
> which SSL was founded, the node was ruled outside the model [2]. Stolen
> valid certs are node problems not wire problems, and this is typically
> the assumption made in all certificate protocols.
>
> Longer answer: Depends on who is arguing, and what follows is my
> especial counter-cultural opinion. I am widely disagreed :)

Well I'm just going to have to disagree with you here.

> Typically, in promoting a technology, people will point at the
> cryptographic purity in a narrow fashion, and then market the protection
> delivered in a broader context. This is called a bait & switch in the
> marketing world.

The term bait-and-switch has a reasonably well defined meaning:
http://en.wikipedia.org/wiki/Bait-and-switch
http://www.ftc.gov/bcp/guides/baitads-gd.htm

I don't think this qualifies as a bait-and-switch scenario because the 
originally-advertised functionality (the bait) is still part of the package.

Bait-and-switch would be more like a salesperson saying "No, I'm sorry 
we just ran out of the low-priced RSA certificates we advertised in the 
Sunday paper. But I have a fresh shipment of ECC EV certificates that 
only cost X times more...". Especially if the store had no intention of 
stocking enough of the advertised item to cover the anticipated demand.

The best term for this that I can think of is plain old "exaggeration", 
but I don't feel like that really captures the idea. It's more that the 
claims are extended beyond their original domain, to the point where 
they may no longer apply.

Perhaps there's not a word for this because it's simply taken for 
granted in marketing. E.g., "this bottled liquid is proven to prevent 
dehydration" is extended to imply "this particular bottled liquid will 
associate you in some way with others like these happy and popular 
off-duty lifeguards playing beach volleyball".

- Marsh



More information about the cryptography mailing list