Crypto Snake Oil

An anonymous reader writes "Luther Martin of Voltage Security has published an article about the perception of cryptography today with regards to quality and honesty in vendors. From the article: 'Products that implement cryptography are probably credence goods. It requires expensive and uncommon skills to verify that data is really being protected by the use of cryptography, and most people cannot easily distinguish between very weak and very strong cryptography. Even after you use cryptography, you are never quite sure that it is protecting you like it is supposed to do.'"

Obligatory SoaP reference

[Conanymous+Award]

Samuel L. Jackson's favorite dish: Snakes in Oil! Probably virgin oil at that.

Don't use weak ROT-13

[CrazyJim1]

Get creative, use Rot-14 or something.

Re:Then use OSS!!

[portmapper]

See Peter Gutmann's analysis of open source VPNs back in 2003.

That has the following great suggestion:

Whenever someone thinks that they can replace SSL/SSH with something much better that they designed this morning over coffee, their computer speakers should generate some sort of penis-shaped sound wave and plunge it repeatedly into their skulls until they achieve enlightenment. Replacing the SSL/SSH data channel is marginally justifiable, although usually just running SSL/SSH over UDP would be sufficient. Replacing the SSL/SSH control channel is never justifiable - even the WAP guys, with strong non-SSL/SSH requirements, simply adapted SSL rather than trying to invent their own protocol.

Re:Still not too bad

behind the fire extinguisher in the hall between room A and room B. Security through obscurity!

Re:Still not too bad

[BobNET]

Room A does not have locks on any of the lockers. Room B has locks, but all of them have the same combination. In which one is a person more likely to leave their wallet?

Put the wallet in your sneaker. I put it down by the toe, they never look there!