Shostack + Friends Blog Archive


Easier to get forgiveness than permission

So when will the public be able to easily and cheaply adopt useful security technologies that cost next to nothing?

Asks Nudecybot. And the answer is…NOW!

Why wait? Generate some keys and use them!

4 comments on "Easier to get forgiveness than permission"

  • nudecybot says:

    Correct me if I’m wrong but:
    Mail and Web client will still scream objections and warnings that communications may be compromised if they read certificates that are self-signed.
    The process of installing self-signed certs is still not the wizard-based ultra-easy does-it-while-you-set-up-your-mail-account (or web server etc)…well any of the easy to use processes I’ve seen invite me to pay some company a ridiculous amount of money for a cert.
    Sigh. Is this something that could be addressed? I guess GPG goes partway towards helping but my parents still can’t use that easily.
    Wheres the on by default and seamlessly integrated security of Groove and Shinkuro clients?

  • adam says:

    Yes, some software will scream. In cases where you’re in control (say, a corporate mail setting), you can tell users not to worry quite easily. Besides, users click yes on all the dialogs anyway.
    PGP is selling PGP Universal, which is an excellent step to easy and secure email.
    As for other things; write a patch or a plugin for mozilla that makes the dialog box make sense…Something like:
    The owner of this site hasn’t paid for someone he, and you, don’t know, to run a 1 second cryptographic operation on the site. If you’re not spending money here, or giving up deeply personal information, it probably improves your security to encrypt this data over the internet.

  • Iang says:

    Honestly, it beats me what the delay is. Why is there an install process at all? If there is no key currently available, the software should just generate a self-signed key straight away.
    I have no idea why the S/MIME mailer user agent people don’t add this. If you want people to use encrypted email, either self-generate the key, or put a button on that says “Create a self-signed cert.”
    If encrypted email is a valuable thing to the users, there’s no doubt that some of them will upgrade to CA-signed certs later on. If there is any benefit whatsoever to those certs, that is. And if there is no benefit, why are the developers forcing the users to use them???

  • Nudecybot says:

    Well I got off my ass today looking for something a little easier than GPG for my friends and family to use and I found this: WinPT – Windows Privacy Toolkit. Still a bit too complicated for the average user but…pretty cool. I’ll be trying it out and letting you know more.

Comments are closed.