[messaging] Are we pursuing real solutions for security?
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Tue Mar 11 10:33:20 PDT 2014
On 03/11/2014 01:26 PM, Tony Arcieri wrote:
> On Tue, Mar 11, 2014 at 6:15 AM, Daniel Kahn Gillmor <dkg at fifthhorseman.net>wrote:
>
>> Short Authentication Strings have potentially severe problems in
>> anything other than a human→human synchronous communications
>> environment
>
> This is the only use case of fingerprints I'm considering in this thread.
> I'm not talking about their use by machines in e.g. cryptographic protocols
The dialog box image you linked to (http://i.imgur.com/2bEWKNS.png) is a
joke about Internet Explorer, which is a classic example of
human→machine interaction (the user of the web browser is trying to
authenticate a remote machine, which is the web server), not human→human
interaction.
This use case still a real security issue, and i haven't heard a
plausible answer yet about how SAS can be used to verify a web server's
key without introducing a number of troubling vulnerabilities.
Just because a SAS is useful for one case doesn't mean that exploring
other problem spaces is "studying the wrong solution".
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140311/93adf961/attachment.sig>
More information about the Messaging
mailing list