[cryptography] preventing protocol failings

Marsh Ray marsh at extendedsubset.com
Tue Jul 12 19:25:42 EDT 2011

On 07/12/2011 04:24 PM, Zooko O'Whielacronx wrote:
> On Tue, Jul 12, 2011 at 11:10 AM, Hill, Brad<bhill at paypal-inc.com>
> wrote:
>> I have found that when H3 meets deployment and use, the reality
>> too often becomes: "Something's gotta give."  We haven't yet found
>> a way to hide enough of the complexity of security to make it
>> free, and this inevitably causes conflicts with goals like
>> adoption.
> This is an excellent objection. I think this shows that most crypto
> systems have bad usability in their key management (SSL, PGP). People
> don't use such systems if they can help it, and when they do they
> often use them wrong.

But the entire purpose of securing a system is to deny access to the
protected resource. In the case of systems susceptible to potential
phishing attacks, we even require that the user themselves be the one to
decline access to the system!

Everyone here knows about the inherent security-functionality tradeoff.
I think it's such a law of nature that any control must present at least
some cost to the legitimate user in order to provide any effective
security. However, we can sometimes greatly optimize this tradeoff and
provide the best tools for admins to manage the system's point on it.

Hoping to find security "for free" somewhere is akin to looking for free
energy. The search may be greatly educational or produce very useful
related discoveries, but at the end of the day the laws of
thermodynamics are likely to remain satisfied.

Those looking for no-cost or extremely low-cost security either don't
place a high value on the protected resource or, given the options they
have imagined them, that they may profit more by the system being in the
less secure state. Sometimes they haven't factored all the options into 
their cost-benefit analysis. Sometimes it never occurs to them that the 
cost of a security failure can be much much greater than the nominal 
value of the thing being protected (ask Sony).

It was once said that nuclear physics would provide electric power that
was "too cheap to meter", i.e., they might not even bother sending you a
utility bill. Obviously that didn't happen. If your device's power
requirements don't justify power from the nuke plant the better question
might be how to make the battery-based options as painless as possible.
Toys used to always come "batteries not included". Now toys often
include a battery, but the batteries don't seem to have gotten much
better. Toy companies probably found that a potential customer being
able to press the button in the store display was worth the cost of a
bulk-rate battery.

So even if you're a web site just selling advertising and your users'
personal information, security is a feature that attracts and retains
users, specifically those who value their _own_ stuff. (Hint hint: this
is the kind with money to spend with your advertisers.) Smart people
value their own time most of all and would find it a major pain to have
to put everything back in order after some kind of compromise. Google
knows exactly what they're doing when they do serious security audits
and deploy multiple factors of authentication even for their free Gmail
users. This difference in mindset is why Hotmail and Yahoo! are now

I hope there was a coherent point in all of that somewhere :-) I know
I'm preaching to the choir but Brad seemed to be asking for arguments of
this sort.

- Marsh

More information about the cryptography mailing list