On 11/16/2013 01:32 AM, Theodore Ts'o wrote: > On Fri, Nov 15, 2013 at 11:56:14AM -0300, Steve Crocker wrote: >> I've been watching this thread for a while. The idea of making it >> harder without actually expecting the encryption to work seems like >> an implicit admission of failure. > > There's a question which is being begged here when using the > terminology "to work". What's your definition of success? > > For example, using D-H with no attempt to authenticate the endpoints > means does not protect you against an active attacker who is carrying > out a MITM attack. However, it does protect you against a passive > attacker which is vaccuuming up all networking packets and either > looking for keywords or storing it all in some big data warehouse in > Utah. It forces said attacker to play MITM games, with all of the > attendant costs of decrypting and re-encrypting all of the data > streams, such that the attacker would consume a lot more power, and > make it much harder for pervasive surveillance to be hidden in some > tiny phone closet in some telecom's fiber room. > > The old world-view was if you couldn't protect against an active > attacker, you might as well not do anything at all. So admitting > failure with the old world view, which required us to "go big or go > home" (with the result that in many cases vendors just went home, and > left huge portions of internet traffic completely unencrypted) might > be first step to wisdom. We've tried things the old way, with the > result that IPSEC is so painful that it only gets used in a very > restricted problem domain such as VPN's. Maybe it's time to try > something new, that indeed only makes things harder for pervasive > surveillance, without necessarily making it impossible against a > directed attack. > > As far as I'm concerned, making things harder, even if it is not > guaranteed to protect against all attack scenarios, is an example of > something which works --- it works to protect against a specific > threat model that appears to be a real one that we need to be worried > about. Very well put. For this community, this is *the* most important lesson to learn from snowdonia. >> I think the right posture is to >> make privacy via encryption the default at every level, or perhaps >> even mandatory, and to expect it to work. Key management has to be >> seamless and automatic, and the software and hardware have to be >> trusted. > > I agree that we will probably need encryption at multiple levels; but > I also think we can't assume that software and hardware "have" to be > trusted. The design must be robust, and not fragile, which is one of > ther reasons to have encryption at multiple layers. It also means > that we should have at least one layer which doesn't assume (for > example) that we can trust that all 600+ CA's which are authorized to > certify all web sites in the world are trustworthy. That's not an > admission of failure; that's an engineering design which is designed > to robust, in the face of failures, which *WILL* happen. Other than maybe s/600+ CAs/~100 organisations/ also true. I hope a lot of people read the top half of this at least. S. > > - Ted > > >