dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
4
share rss forum feed


Steve
I know your IP address
Consultant
join:2001-03-10
Foothill Ranch, CA
kudos:5
reply to Blackbird

Re: The Threat of Silence

said by Blackbird:

True encryption ought to be the standard, not the exception, for traffic on a public-accessed network.

How would you propose, even in broad strokes, for this to happen?

Encryption is trivial, it's key management that's the hard part.


Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..

1 recommendation

said by Steve:

said by Blackbird:

True encryption ought to be the standard, not the exception, for traffic on a public-accessed network.

How would you propose, even in broad strokes, for this to happen?

Encryption is trivial, it's key management that's the hard part.

Given what the Internet has grown up to be, it certainly wouldn't be as easy now as it might have been at inception. As a minimum, all traffic should have something akin to SSL protection, though the security made more robust. Add to that, redundant public-key depositories (along the lines of current DNS servers and certificates) for all traffic other than simple, passive web-page browsing, and a framework might just begin taking shape. The cost of true traffic security is invariably a certain loss of anonymity in order to verify key-holder ownership, at least to some degree... but one might also make "insecure" mode the option instead of the default as it is today, so that if one does not want the traceability of key-handling, they would be free to do without... assuming, of course they could find someone on the other end of their traffic willing to participate.

I'm under no illusions. A public network can never be made as secure as a well-designed and operated private network. Security on the 'public' Internet has always been an after-thought, laid upon an architecture intentionally designed for accessibility and survivability. The problem today is that the traffic security has become increasingly important, but it's still being conceptually treated largely from a band-aid and opt-in mentality... and that's visibly not working out well.
--
“The American Republic will endure until the day Congress discovers that it can bribe the public with the public's money.” A. de Tocqueville

OZO
Premium
join:2003-01-17
kudos:2
said by Blackbird:

The cost of true traffic security is invariably a certain loss of anonymity in order to verify key-holder ownership, at least to some degree...

Not necessarily, if P2P is involved in design (and they've specifically mentioned it) and keys are generated (and then immediately destroyed) on the fly - there is no need to forfeit anonymity (as opposite to centralize based PKI). Here is example of similar (only by the idea behind) implementation - ZRTP.

Authors are practicing quite rare privacy-by-design approach, which shows respect to the end user, not to any other third party entities (government, private snoopers, marketeers, etc). And they've committed to making source code of the new technology available publicly. It's yet another sign of true user-oriented intentions behind the project. That, IMHO, brings confidence to this privacy solution (along with well known authors, standing behind it).

Good to hear that there are still some folks, who care about privacy or people.
--
Keep it simple, it'll become complex by itself...


Wildcatboy
Invisible
Premium,Mod
join:2000-10-30
Toronto, ON
kudos:3

1 edit

1 recommendation

reply to Steve
said by Steve:

said by Blackbird:

True encryption ought to be the standard, not the exception, for traffic on a public-accessed network.

How would you propose, even in broad strokes, for this to happen?

Encryption is trivial, it's key management that's the hard part.

The ability and the infrastructure is already in place for email. All you need is a free S/MIME certificate like this for each side. The problem is that although all email clients support the feature, having a certificate is not mandatory. I send dozens of emails to dozens of people daily but majority of them don't have a certificate installed, therefore I can't send them encrypted emails.

All you need for this to become widely used is to make the feature mandatory in popular email clients like Thunderbird or Outlook, etc... When you setup your email client, you add your name, email address, SMTP and POP server addresses and it should download and install a certificate for you automatically and you and the rest of the world would be sending encrypted emails, no training required.

Similar procedures could be implemented and mandated for browsers and popular web servers such as Apache and IIS to use similar key exchange procedures. They just need to be implemented into web browsers and web servers, majority of which by the way, are open source or at least security conscious.

By securing the web browser and email data transfers you would be covering the majority of the Internet data flow and you don't need a key management infrastructure beyond what is already in place.
--
You can catch the Devil, but you can't hold him long.