Main

August 14, 2006

Past performance many not be indicative of future security

People usualy rely on past experience. In the case of security this is often a mistake. Past bad experience is often reliable but past good experience is not.

If there is a security problem you can expect it to continue until effective measures are deployed to control it.

If there is no security problem today that may be either because the system is secure or because nobody believes it worth their while to attack.

The problem is that the second criteria can change very rapidly. Three months ago use of VOIP (Internet telephony) in phishing attacks was a rare event. Customers are now reporting that this problem is now routine.

Continue reading "Past performance many not be indicative of future security" »

Posted by Phillip Hallam-Baker at 01:01 PM | | Comments (0) | TrackBacks (0)

August 07, 2006

A security specialist

The state of Internet security today is such that anyone describing themselves as a security expert is mistaken.

The Internet is under attack by organized criminals whose crimes succeed because we have not delivered a security infrastructure for the Internet that ordinary people can use.

When I started working on Internet security there was a widespread optimism that cryptography could solve any problem. All you had to do was make sure that you used enough of it. Today we are beginning to realize that it is not enough to deliver a machine loaded with programs that provide 'military grade' cryptographic security. The job is not done until we build systems that people actually use.

SSL has done an amazing job for the past ten years. It worked because it was so easy for people to use that people could use it without being aware that they were using it. Ten years is a long time for a cryptographic protocol to be in service in an environment that changes as much as the Internet. A protocol that has served us so well deserves some mid-life maintenance, Extended Validation certificates and Secure Internet Letterhead are an attempt to prepare SSL for its next decade of service.

We have done less well with DNS security, IP Security, S/MIME, PGP. All are excellent designs but none has seen widespread use for the purpose for which they were designed.

The barbarians are now at the gate. The Internet is under attack by organized criminals. We have to change our approach. The traditional information security approach is not providing solutions to the security problems we face. Military grade cryptography works for the military because they can order the soldiers to use the system no matter how painful it may be to do so.

We have to develop a new type of security for the Web, security that solves the whole problem and not just the parts of it that can be reduced to mathematics.

Most of all we have to abandon the misleading and misquoted slogans that are too often a substitute for thought. How often has the phrase 'Bad security is worse than no security' been used to justify another year of delay in agreeing a security potocol standard? And how many people who talk about 'end to end' security realize that the ends of an Internet communication are people not machines?

Posted by Phillip Hallam-Baker at 08:38 AM | | Comments (0) | TrackBacks (0)