Shostack + Friends Blog Archive

 

Easier to get forgiveness than permission

So when will the public be able to easily and cheaply adopt useful security technologies that cost next to nothing?

Asks Nudecybot. And the answer is…NOW!

Why wait? Generate some keys and use them!

Originally published by adam on 10 Nov 2004
Last modified on 10 Nov 2004
Categories:   economics   Security   Uncategorized  

4 comments on "Easier to get forgiveness than permission"

  • nudecybot says:
    11 Nov 2004 at 11:25 am

    Correct me if I’m wrong but:
    Mail and Web client will still scream objections and warnings that communications may be compromised if they read certificates that are self-signed.
    The process of installing self-signed certs is still not the wizard-based ultra-easy does-it-while-you-set-up-your-mail-account (or web server etc)…well any of the easy to use processes I’ve seen invite me to pay some company a ridiculous amount of money for a cert.
    Sigh. Is this something that could be addressed? I guess GPG goes partway towards helping but my parents still can’t use that easily.
    Wheres the on by default and seamlessly integrated security of Groove and Shinkuro clients?

  • adam says:
    11 Nov 2004 at 11:33 am

    Yes, some software will scream. In cases where you’re in control (say, a corporate mail setting), you can tell users not to worry quite easily. Besides, users click yes on all the dialogs anyway.
    PGP is selling PGP Universal, which is an excellent step to easy and secure email.
    As for other things; write a patch or a plugin for mozilla that makes the dialog box make sense…Something like:
    The owner of this site hasn’t paid for someone he, and you, don’t know, to run a 1 second cryptographic operation on the site. If you’re not spending money here, or giving up deeply personal information, it probably improves your security to encrypt this data over the internet.

  • Iang says:
    11 Nov 2004 at 2:04 pm

    Honestly, it beats me what the delay is. Why is there an install process at all? If there is no key currently available, the software should just generate a self-signed key straight away.
    I have no idea why the S/MIME mailer user agent people don’t add this. If you want people to use encrypted email, either self-generate the key, or put a button on that says “Create a self-signed cert.”
    If encrypted email is a valuable thing to the users, there’s no doubt that some of them will upgrade to CA-signed certs later on. If there is any benefit whatsoever to those certs, that is. And if there is no benefit, why are the developers forcing the users to use them???

  • Nudecybot says:
    11 Nov 2004 at 11:42 pm

    Well I got off my ass today looking for something a little easier than GPG for my friends and family to use and I found this: WinPT – Windows Privacy Toolkit. Still a bit too complicated for the average user but…pretty cool. I’ll be trying it out and letting you know more.
    http://winpt.sourceforge.net/en/

Comments are closed.