Keys not trusted
David Shaw
dshaw@jabberwocky.com
Fri May 16 20:26:01 2003
--liOOAslEiF7prFVr
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Fri, May 16, 2003 at 08:16:06AM +0200, Adrian 'Dagurashibanipal' von Bid=
der wrote:
> On Friday 16 May 2003 03:54, David Shaw wrote:
>=20
> > It's one of those eternal questions whether it is better if a system
> > is perfectly secure, but not many people use it, or if it is less
> > secure, and many people use it. One way to put this is to ask whether
> > it is better to encrypt and be vulnerable to a man in the middle
> > attack... or to not encrypt and be vulnerable to everything ;)
>=20
> I guess for some the big is that the people using a
> security-made-easy system - where some vulnerabilities are traded
> against convenience - won't be aware of these vulnerabilities but
> just assume that their system is absolutely 100% secure. So, when
> the first attack comes that uses this well known (amongst those who
> care to know) vulnerability, people will yell 'but you promised us a
> secure system' - and there's nothing you can do. Telling them that
> it wasn't designed to be secure in this way will not help you, then.
Yes, this is absolutely true. I'm not sure what the answer is for
that except perhaps education... and we all know that users don't read
the manuals ;)
David
--liOOAslEiF7prFVr
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3-cvs (GNU/Linux)
Comment: http://www.jabberwocky.com/david/keys.asc
iD8DBQE+xQn44mZch0nhy8kRAvs0AKCxtJzhkoe//IOEenj7RU13KRoxlQCgsuaL
Ci6gDxarLMdyMuVKo+5hC8M=
=zgc+
-----END PGP SIGNATURE-----
--liOOAslEiF7prFVr--