- From: Henry Story <henry.story@bblfish.net>
- Date: Wed, 28 Mar 2012 12:15:31 +0200
- To: "Adrien W. de Croy" <adrien@qbik.com>
- Cc: "Willy Tarreau" <w@1wt.eu>, "Martin Thomson" <martin.thomson@gmail.com>, "HTTP Working Group" <ietf-http-wg@w3.org>
On 28 Mar 2012, at 10:29, Adrien W. de Croy wrote: > > ------ Original Message ------ > From: "Henry Story" <henry.story@bblfish.net> >> >> So your argument is stronger, since you argue that a lot of computers are malware >> infested. Of course there the thing to do is for banks to add other methods of >> verification or notification, >> > you're right on this count. One of my banks used to rely just on > SSL/TLS. > > Now I have to carry a watch-word around... in fact 3 of them for my 3 > banks. They could also just use systems such as those they use for credit cards: to look at usage patterns. Sending an SMS is also a good method, using a different system. Note that cell phones have a lot better security models that PCs I am just learning at this identity conference in Swizerland, as they had things like Java build in, which can separate what downloaded apps can do. If cell phones can also be identified with hardware cryptography then you can remove the need for extra passwords and just use TLS. > Are you suggesting websites should all start issuing physical security > devices so that people can enjoy their site with REAL security > or are you happy with the illusion. security is not an all or nothing question as your question assumes it is. You are opposing "real security" with "illusory security", but in fact as with knowledge you have more or less. You have deeper knowledge that someone else, but never full knowledge. And we can only have the knowledge we have in our society because we each of us know small pieces of the whole, and we coordinate our work. > Maybe a better metaphor would have been the Matrix. The Matrix is indeed a very good film, that asks the question of reality and illusion in a very entertaining way. > We're not looking for blue pills here. ? > >>> >>> >>> We'll just lower the overall security by applying the same security >>> enforcement to all sites. Connecting to your bank or to you WiFi >>> router's admin page will look equally safe. >>> >> >> >> Ah it is the "look" of security that is worrying you? Going to a bank should >> "look" more secure that your router's admin page? But your router admin page >> should be just as secure as the bank if possible, since that is another vector >> of attack. >> > > he meant the opposite. We're not interested in something masquerading > as security. If we're going to place the cost on the world, it needs > to provide actual security. I want actual security too to my router's admin page too. I don't think I need all the extra verifications my bank may want to do too, by looking at usage patterns and other things, but I don't think that reduces security either. Though perhaps one could create a neighbourhood watch program for routers. Or a friend-of-a-friend neighbourhood watch system... > > > >>> >>> I don't think this is the >>> intent of this move, really. >>> >>> Willy >>> >>> >> >> >> Social Web Architect >> http://bblfish.net/ >> >> >> >> > Social Web Architect http://bblfish.net/
Received on Wednesday, 28 March 2012 10:16:16 UTC