[SSL Observatory] [cryptography] After the dust settles -- what happens next? (v. Long)

Peter Gutmann pgut001 at cs.auckland.ac.nz
Mon Sep 12 12:22:39 PDT 2011 

Paul Hoffman <paul.hoffman at vpnc.org> writes:

>We don't "all" observe that. Some of us observe a third, more likely
>approach: nothing significant happens due to this event. The "collapse of
>faith" is only among the security folks whose faith was never there in the
>first place. A week after the event, who was talking about it other than
>folks on these lists and lists like them?

  "Most people, I think, don't even know what a Rootkit is, so why should they
  care about it?".

>From reading a number of blogs and some major techie sites like Slashspot
(usually disclaimer about the Slashspot audience), the comments are almost
uniformly negative about PKI.  There is close to zero confidence in PKI in the
technical community [0], at least as represented by the likes of the Slashspot
audience.  If that's a representative sample (it's probably the best we can
get) then it seems the only people who still have faith in PKI are the ones
who don't know it exists (Joe Sixpack browser user, who trusts in the browser
to keep him safe).

>This is not to say that nothing should happen: it should, but it should have
>happened long ago. The fact that it didn't, and continues not to, should be
>significant to those predicting what will happen "next".

Some years ago I predicted that it'd take an Enron-scale catastrophe to
finally get browser security fixed.  I was hoping this one was big enough, but
I have a horrible feeling that, as you say, it'll be business as usual a month
from now.  The only real difference now is that the technical community now
pretty uniformly knows that it's all just security theatre.  The problem with
that is that unless we (the security geeks) step up with solutions to address
the problem, we'll end up with vast numbers of exquisitely homebrew (and
insecure) hacks as people try and compensate for the ineffectiveness of the
theatre.

Peter.

[0] I'm being conservative here, in practice I don't recall seeing anyone
    expressing faith in PKI, but I didn't read every one of the vast numbers
    of comments.

More information about the Observatory mailing list