[cryptography] SSL is not "broken by design"

Peter Gutmann pgut001 at cs.auckland.ac.nz
Tue Sep 20 03:48:36 EDT 2011


Nico Williams <nico at cryptonector.com> writes:

>For a desktop I'd say: [...]
>
>For smartphones and tablets I'd say: [...]

You can't do UI design like this, because chances are it's not going to work.
By this I mean that we have 10-15 years of statistics showing that this
approach doesn't work, so when I say "chances are" I mean "existing statistics
say ...".  You need to look back at the 15 years of statistics and research
and see what goes wrong, and in what way, and then build something based on
that.  I give one example in the talk that I've referenced several times now,
which is based on a great many user studies on what does and doesn't work.  We
can (probably) do effective UI for this by turning the attackers' tactics
against them, but you need to understand the environment in which you're
operating rather than simply proposing a solution.

Peter.



More information about the cryptography mailing list