"Kevin W. Wall" <kevin.w.w...@gmail.com> writes: >I think you're giving the NSA way too much credit on why security sucks. Even >if we were to restrict 'security' to the scope of cryptography, even there, I >think the NSA has much less to do with dumbing down crypto security than >other factors.
Exactly. If the NSA didn't exist at all the only difference we'd notice is that there'd be less of this weird obsession with ECDSA (via pressure to adopt Suite B). Computer security as a whole wouldn't suck any less. >IMO, the biggest factor is that 95% or more of developers are completely >ignorant of best practices in cryptography. At the other end of the scale, 99.9% of developers who do know security have no idea how to create *usable* security. At the moment there are exactly two crypto-using products I can think of that I'd feel confident a random member of the public could walk up and use, those being Skype and iMessage. (Unfortunately to the crypto-purists they're not good enough because they're MITM-able. You should be tunnelling SIP over OpenVPN, it's really easy, here's a pointer to a list of links to 100-page discussion threads on web boards for ways of doing this that may work sometimes). Incidentally, the NSA is, from all the reports I've seen, even worse than we are at making security usable. My favourite publication on security usability, Laura Heath's "An Analysis of the System Security Weaknesses of the US Navy Fleet Broadcasting System, 1967-1974, as exploited by CWO John Walker?", goes into this in more detail. Peter. _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography