1995-10-18 - Re: Postscript in Netscape

Header Data

From: “J. R. Valverde (EMBL Outstation: the EBI)” <txomsy@ebi.ac.uk>
To: cypherpunks@toad.com
Message Hash: 254d67a0b29dac31dae65a5059f477ce78a4a2c3eb4898f8cd4b30cc8c956060
Message ID: <199510181242.NAA26611@neptune.ebi.ac.uk>
Reply To: <9510181156.AA11525@all.net>
UTC Datetime: 1995-10-18 12:43:06 UTC
Raw Date: Wed, 18 Oct 95 05:43:06 PDT

Raw message

From: "J. R. Valverde (EMBL Outstation: the EBI)" <txomsy@ebi.ac.uk>
Date: Wed, 18 Oct 95 05:43:06 PDT
To: cypherpunks@toad.com
Subject: Re: Postscript in Netscape
In-Reply-To: <9510181156.AA11525@all.net>
Message-ID: <199510181242.NAA26611@neptune.ebi.ac.uk>
MIME-Version: 1.0
Content-Type: text/plain


>WRONG!!! Netscape claims to be "secure" - hence it is Netscape's job to
>be secure - regardless of the user's use of their product.  Otherwise,
>the ads should read:
>
	By that rule, it should instead say: "Netscape is only secure if
"you use it in a physically secure computer, only accessible to the person
"using it, with an absolutely secure OS, configured for maximum security,
"totally bug-free, using a network connection that only spans trusted hosts
"with absolute security levels at least as astringent as that of origin,
"that can in no way whatsoever be tapped of otherwise tampered with,
"and to which only persons of abosulte trust (if that thing exists) for
"the original user have access. And that only if God doesn't decide to
"make a miracle to break the security or a quantic effect doesn't suddenly
"materialize some kind of horrible and unknown monster from another dimension
"with evil intentions against that specific user of Netscape and power
"enough to break his/her tight security ring! Oh, and provided the user doesn't
"suddenly become mad and etc, etc, etc..." You could go on forever.

	Look, the truth is that no matter how you put it, there is always
a weakest link which is the human factor. The most you can say is that any
method -cryptographic or not- is as secure as the weakest link in the whole
environment in which it is used.

	That stated, the farther you can go is to guarantee only the security
of *your* crypto -or whatever- method and only as far as commonly accepted
wisdom and knowledge allow you to do so. You can't be sure there is no
one there who knows how to factor big numbers, and is keeping silent and
becoming very reach breaking into other people information.

	I think it is fair if anybody says that their product -or crypto-
method, considered isolatedly, has a given level of "accepted" strength. With
that in their hand any minimally intelligent user should be able to evaluate
the security of his/her own setup given all the -infinite- things that can
go wrong and his/her prsonal trust on mankind.

	Otherwise it would be like asking car makers to give you a detailed
listing of the relative resistance of all the materials in the car against
any possible other matter in the Universe into which you could possibly
crash. Imagine it: The new XXXX is safe to drive as long as you don't crash
into a truck, concrete wall, jump over a cliff, submerge into deep ocean,
or a nuclear bomb doesn't explode over your head...!

				jr





Thread