Ian Brown wrote:
I'd guess that many of the developing-world human rights groups funded
by OSI would have legitimate reason to worry about wiretapping
conducted by well-resourced opponents in their governments. They might
also discuss information on a secure communication facility that they
would avoid on a PSTN phone. So it's important they know where Skype
lies on the spectrum between the two.
That's correct. www.cryptorights.org is a group that
specialises in dealing with that market. Curiously,
they have found evidence of MITMs from those
attackers, although I only have anecdotal accounts,
so nothing firm to report.
If one is actually going up against governments
("ours" or "theirs") then one needs to take more
care. Downloading just any crypto tool from the
net and using it without thought is a death warrant
with some of these use cases. (That's not an
exaggeration, or so I've been told.)
Note however, that these users know to take more
care; in that OSI funded the report (presumably)
for that very use case. The report may very well
accurately be read as "not suitable if your life
depends on it."
But, that has only limited bearing on those users
without a clearly identified life-threatening enemy.
What Skype aught to do - and clearly don't - is
list the limitations of the product clearly on their
website. The main concern that people have is
that because they say it is secure, nobody trusts
them. If they said it was insecure in X,Y,Z ways,
then people would trust them more (after verifying
that X,Y,Z was true).
But getting to a world where people will list the
security weaknesses honestly is a challenge that
we all face, on both sides of the crypto debate.
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]