>>> Check esp. section 7.6 "So What Can We Do?".
>>
>> This paper is about a year old, and we discussed it here when it was
>> now.
>>
>> My favorite quote:
>> "Given a choice between dancing pigs and security,
>> users will pick dancing pigs every time."
>
> The quote above was taken out of context. The remaining paragraph starts:
A more telling quote is:
"For example, much of the
advice concerning passwords is outdated and does little
to address actual threats, and fully 100% of certiļ¬cate
error warnings appear to be false positives."
While I sympathize with much of what is being discussed in the paper,
the second half of this statement either 1) dates the paper to an
earlier era, or 2) shows a clear misunderstanding of the modern threats
out on the internet. (yes, virginia, there are malicious hot spots out
there that will MITM your SSL connections if you ignore certificate
warning).
The main take always here are:
1) If you don't care about security (including authentication), don't
use encryption. You can get your dancing pigs every time, and you aren't
really keeping Big Brother from snooping on your traffic.
2) Unless you are a bank, do not try to 'force' your users into outdated
password advice. Passwords have a known (weak) level of security, for
most applications that level is sufficient. Let the user decide if the
data he keeps on your website is worth protecting or not.
3) If you are a website, make sure your cert is valid and up to date --
cert warnings are a thing of the past on almost all browsers -- failures
are now harder, and you better have better dancing pigs on your site
than anyone else.
4) Users, if you get cert failures, be think very hard before you click
through, particularly if you are using an unknown hot spot!
bob
--
dev-tech-crypto mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-crypto
