Friday, April 25, 2003

Throw away the Internet to improve security? Well, that would do it, but it's as drastic as cutting out your eyes to reduce glare. The article is really stupid -- e.g. SMTP already has a certificate infrastructure in S/MIME, and there's no need to rip out IP (see IPSec).

Rescorla is soon to give a talk at Usenix entitled The Internet is Too Secure Already which points the finger not at the user (it's pointless to blame them) but at the incentive structure which encourages people to spend too much time making sure that systems are impregnable against high-end attacks. The field is full of papers perfecting stuff that's already really good rather than fixing the stuff that's really bad. Usually the real problem is we don't have a deployable, usable system which integrates the good-enough cryptography into our applications and networks. Companies may now finally be willing to pay for that, which they haven't in the past, out of their own needs and new government regulations (like HIPAA).

Update: I previously said that Ekr already gave this talk but he's in fact going to give it in August.

No comments:

Blog Archive

Creative Commons License
This work is licensed under a Creative Commons Attribution 3.0 Unported License.