[cryptography] Diginotar Lessons Learned (long)

Andy Steingruebl andy at steingruebl.com
Sat Sep 10 13:22:41 EDT 2011

On Fri, Sep 9, 2011 at 6:22 PM, Peter Gutmann <pgut001 at cs.auckland.ac.nz> wrote:

> May I make the following modest proposal:
>  A "fix" (of whatever form you want to try) is only regarded as valid if it
>  leads to at least a 25% decrease in phishing, measured over the interval
>  before and after its introduction.

We've had this discussion before.  Attackers will go wherever the
attacks are easiest, and if we don't fix things we know are attackable
(all/most of them) we're just pushing the problem around, not really
making the bad guys jobs easier.

We still need to prioritize of course, and fix the things being
exploited rather than just increasing key-lengths (the typical
approach) but that doesn't mean that fixing things that aren't being
exploited now, but we know can be exploited, is a waste of time.


- Andy

More information about the cryptography mailing list