

Can Internet security ever work? (2011) - rdl
http://cryptome.org/0005/net-sec-ever.htm

======
acqq
The article was written by

[http://en.wikipedia.org/wiki/Jon_Callas](http://en.wikipedia.org/wiki/Jon_Callas)

He obviously thought a lot about the mentioned issues. A lot of very good
points. Note that Google seems to have recently been started to make much more
often their own new certificates -- it seems to be in the line of some of his
ideas in the article.

------
iamsalman
SSL should never have been taken as the only requirement for making http
communications secure. IMHO, once you send off any piece of information (your
personal data, files, photos, videos, etc), you can never know where they end
up unless you have encrypted them yourself and they always exist in encrypted
form outside of your computer. Data security is really an insurance product,
you only know how good it is when something goes wrong.

Slightly off-topic of this article but Cloud security is all the rage these
days. Either you set up some sort of app/gateway to encrypt all data which
goes to the Cloud for archiving and/or processing and decrypt it when it comes
back for viewing/updating/consuming etc OR you buy into the illusion of data
security on the Cloud.

~~~
_asciiker_
I disagree, we wouldn't be where we are today if it wasn't for SSL, faults and
all.

------
zaroth
Loved this part about certificate revocation... again, in 2011;

    
    
       It turns SSL into the worlds biggest privacy leak.
    
       But worse than that, it turns those revocation servers into critical
       Internet infrastructure. What fun Anonymous can have when they turn
       the LOIC not on Mastercard, but on an OCSP server and thus cause commerce
       failures to happen everywhere. Locks create burglars, guys.
    

Man, Anonymous has been trolling for a long time. Not so much lately?

------
kevinwang
I'm just commenting to say that there's an unfortunate typo in the 5th full
paragraph:

    
    
         It is *the* problem that is created by pubic key cryptography;
    

Obviously, it should say public key.

~~~
wglb
Yes, and this article is not alone:
[https://www.google.com/search?q=pubic+key+cryptography&oq=pu...](https://www.google.com/search?q=pubic+key+cryptography&oq=pubic+key+cryptography&aqs=chrome..69i57j0l5.8758j0j4&sourceid=chrome&es_sm=119&ie=UTF-8#q=%22pubic+key+cryptography%22)

------
vilda
Security is a process, not a product
([https://www.schneier.com/essay-062.html](https://www.schneier.com/essay-062.html))

We have to learn on the way and continuously improve all aspects of the
Internet security. Whether it is software use, SSL/TLS, DNS, routing...

~~~
_asciiker_
Exactly what I think. Security is a continuous process that requires
flexibility and permanent learning!

