[nSLUG] Re: Wikipedia changes/limits protocols?

Mike Spencer mspencer at tallships.ca
Thu Jul 16 00:42:50 ADT 2015


Following up to myself:

George N. White III wrote:

> If you only encrypt traffic to one site that tells an eavesdropper
> something about your activities.
>
> If all internet traffic is strongly encrypted that makes it harder
> for eavesdroppers to identify "interesting" traffic.

which is just what Bruce Schneier wrote in his 15 July '15 Crypto-gram
newlstter:

    Encryption should be enabled for everything by default, not a
    feature you turn on only if you're doing something you consider
    worth protecting.

    This is important. If we only use encryption when we're working
    with important data, then encryption signals that data's
    importance. If only dissidents use encryption in a country, that
    country's authorities have an easy way of identifying them. But if
    everyone uses it all of the time, encryption ceases to be a
    signal. No one can distinguish simple chatting from deeply private
    conversation. The government can't tell the dissidents from the
    rest of the population. Every time you use encryption, you're
    protecting someone who needs to use it to stay alive.

The thing is, I may be more paranoid than Schneier, or at least less
trusting.

I'm not smart enough to verify the crypto math nor to to write bullet
proof code that implements it.  But I'm more or less willing to trust
the individual code hackers -- natural persons -- who are smarter than
I am.  I can infer their trustworthiness -- street cred -- from
various public info.  Sometimes I know people who know people whow
know the coders. I can look at who uses and who critiques the
software. I can read the RFCs. Other stuff like that....that's what
people do about trusting people.

But I can't bring myself to trust large corporate (for loose
definitions of "corporate") entities whose activities or products are
generated by huge teams, managed by, well, you know, managers and
executives with an eye on shareholder value, bottom line and
survival in the political arena.

And the crypto in HTTPS appears to me (am I wrong?) to depened on
impenetrable browser code and a (too?) widely distributed mare's nest
of authentication of just that sort of origin.


Well, I'm blundering pretty far off the list topic.  Better shut up
until I've done a lot more reading.

ObLinux: Still don't know why FF did one thing repeatedly and failed
one night, did a whole different thing and succeeded the next.


- Mike

-- 
Michael Spencer                  Nova Scotia, Canada       .~. 
                                                           /V\ 
mspencer at tallships.ca                                     /( )\
http://home.tallships.ca/mspencer/                        ^^-^^




More information about the nSLUG mailing list