[messaging] Are we pursuing real solutions for security?

Tao Effect contact at taoeffect.com
Tue Mar 11 16:34:34 PDT 2014


Hi Tony,

but are fingerprints even a good idea?

I don't think so, and they are not necessary for the most part.

I'm working on a way to bring down the number of fingerprint checks to zero (for most people), and one (for those who can understand the concept).

This is accomplished by using blockchains to distribute public key fingerprints.

There is a working implementation of this called DNSChain (one of the projects that I'm working on):

http://github.com/okTurtles/dnschain

DNSChain makes it possible to check a fingerprint (for the DNSChain server) once, and from then on never worry about it again.

One of the goals of DNSChain is to secure TLS from MITM attacks, and thereby secure HTTPS (and all other protocols that depend on TLS) from such attacks. Simultaneously, it greatly simplifies network security for end-users.

Details are on the GitHub and this blog post:

http://blog.okturtles.com/2014/02/introducing-the-dotdns-metatld/

Cheers,
Greg


--
Please do not email me anything that you are not comfortable also sharing with the NSA.

On Mar 11, 2014, at 6:33 AM, Tony Arcieri <bascule at gmail.com> wrote:

I feel like solutions that rely on manual verification of key fingerprints fall into this category:

http://i.imgur.com/2bEWKNS.png

I don't think these solutions are providing effective security. I feel we need to start from the real needs of real users, and work backwards.

One can propose a study for optimum time-based fingerprint verification and study fingerprint accuracy, but are fingerprints even a good idea? I feel that's where you need to start with any sort of usability study.

Cryptocat's usability studies are addressing this problem. Short Authentication Strings are addressing this problem. Solutions for optimal fingerprint comparison accuracy, IMO, are ignoring the problem, and studying the wrong solution.

Thoughts?

--
Tony Arcieri
_______________________________________________
Messaging mailing list
Messaging at moderncrypto.org
https://moderncrypto.org/mailman/listinfo/messaging

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140311/18377532/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140311/18377532/attachment.sig>


More information about the Messaging mailing list