On Fri, 15 Sep 2000, Karl J. Runge wrote:
> Oh I don't know. It should likely be done in hardware at the head-end
> as it is done in the cable modem in the cable modem's chip(s).
I am sure it would be done in hardware, but just because it is done in
hardware does not mean it is free. Hardware costs money, too. Cryptography
is computationally expensive, and if the OEM has the cryptography off-loaded
to a separate, optional module, then you are talking extra money for each
hook-up.
I suppose, if the encryption support is included in all equipment, whether
you want it or not, then the hardware cost is the same. But you've still got
that support cost -- and do I, as a MediaOne customer, really want to pay to
support something that only (IMO) gives one a false sense of security?
>> Meanwhile, the Internet is still an inherently insecure network, so they
>> really wouldn't be accomplishing much anyway.
>
> It is true that if you *really* need privacy for certain communications
> you better do it end-to-end (PGP, SSL, ssh, etc...)
*frown* Your security is only as good as the weakest link in the network.
Jumping through hoops to secure the first hop in a link before broadcasting
your traffic to all the world is, well, silly. IMNSHO.
> And from the fact (belief?) that it easier to compromise leaf nodes on
> subnets than routers and servers on nets closer to the backbone.
Well... it is "easier" for the teenage script kiddie to fire up his favorite
packet sniffer and monitor the local Ethernet then it is for me to hack
Amazon's payment processing system. But I think assuming that links further
away from you are more secure simply because they are further away is an
error.
> At work, in general, we usually think of peers on our subnet as more or
> less "trusted" (I understand there are exceptions to this), but in the
> ISP case a customer wants nothing to do with their peers and really
> wants things as though the peers (aka potential jerks) did not exist.
You have to remember that, on the Internet, "your peers" is defined as,
basically, the planet Earth. Sure, layer two is only connected relatively
locally, but layer three is routed everywhere. I put exactly the same amount
of trust in my local ISP that I do in the cloud: None at all.
> Imagine that if with a local dialup ISP some bozo dialing into the same
> modem pool as you could PASSIVELY read all of your packets (in the
> comfort of his own home). Not particularly desirable.
Imagine that said bozo works at said ISP.
> A similar thing applies to DSL, although I know less about it. I
> imagine the DSL lines cannot be passively snooped by neighbors in the
> comfort of their own homes.
You're assuming the ISP is somehow immune to security problems. I can
assure you, that is *far* from the case.
> That neighbor you hate can read undetected all your email, web traffic,
> and steal your POP password!".
And they probably can anyway, even without a shared cable wire.
Heck, most people use something really clever like "secret" for their POP
password.
> It would be nice if Mediaone turned on DOCSIS encryption just for
> tidiness sake and so one could rule out subnet sniffing.
You assume:
- The cable company does everything correctly
- The cable company employees are all trustworthy
- The cable company itself is trustworthy
- The encryption is implemented correctly
- The encryption cannot be cracked
- The encryption has no back doors
I wouldn't bet much on that. :-)
--
Ben Scott <[EMAIL PROTECTED]>
Net Technologies, Inc. <http://www.ntisys.com>
Voice: (800)905-3049 x18 Fax: (978)499-7839
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
