Flutterby™! : (in)SecureDelivery

Next unread comment / Catchup all unread comments User Account Info | Logout | XML/Pilot/etc versions | Long version (with comments) | Weblog archives | Site Map | | Browse Topics


2000-11-29 14:20:09+00 by Dan Lyke 6 comments

Just got a message via SecureDelivery, which uses HTTPS to let you transfer encrypted data. While retrieving it, my first attempt to set a passphrase failed. This showed up a flaw in the system: If my email is compromised, at best the SecureDelivery[Wiki] system can warn me, but no matter what that supposedly secure data isn't. Guess what my next Fucked Company pick is going to include?

[ related topics: Interactive Drama ]

comments in ascending chronological order (reverse):

#Comment made: 2002-02-21 05:30:37+00 by: ebradway

Heh... Like so many encryption systems being pushed today, they have fallen into the trap of trying to make encryption easy to use. That usually entails an inadequate authentication scheme. Secure Email, such as S/MIME and PGP, actually provide two things: encryption and authentication. The encryption makes sure no one, other than the intended recepient, can view the contents of the email, and authentication provides guarantees to the recepient of who the sender is. Right now authentication is more important than encryption. Authentication requires that the people administering the system take great care in handing out whatever tokens are used to represent an authenticated user (X.509 certs in the case of PKI or PGP keys in the case of PGP). Then the user has to keep the private tokens secure themselves. These two things are nearly impossible today. The first really requires that the tokens be hand-delivered by someone who recognizes the recepient based on prior contatct and the second pretty much mandates the use of biometrics... But I'm starting to rant... SecureDelivery is a cute idea, especially providing transparent compatibility with X.509 and PGP, but ultimately they are reducing a digital certificate down to just a user id and password (check out Entrust TruePass to see just such a deprecation of security by a 'major player').

#Comment made: 2002-02-21 05:30:37+00 by: ghasty

Spoken like an true Security Architech...

#Comment made: 2002-02-21 05:30:38+00 by: spink

Well, on way is smart cards. I signed up for the AMEX Blue card a while back and got the free smartcard reader. I actually store all my PGP stuff on it now. It only touches a computer when I need to en/decrypt something. Also Compaq is currently shipping finger print scanners will some of its computers.

#Comment made: 2002-02-21 05:30:38+00 by: Dan Lyke

Fingerprints... Via Identity a neat article on the myth of fingerprints.

#Comment made: 2002-02-21 05:30:39+00 by: ebradway

The Rectal Scanner (pats. pend.) is the only means of positive identification that defies attacks by making it generally uncomfortable to attempt to bypass security. The device mounts in the chair in front of the computer. The user then disrobes, lubes the communication port to be 'scanned' and sits down. The folds and polyps of the colon happen to be unique to two-hundred decimal places... Or at least, no one has stepped forward to argue findings...

#Comment made: 2002-02-21 05:30:40+00 by: Dan Lyke

This calls for a re-reading of Bruce Bethke's Headcrash[Wiki] with the ProctoProdtm VR interface...