Slashdot Mirror

← Back to Stories (view on slashdot.org)

What's Holding Back Encryption?

Posted by CmdrTaco on from the cypher-sex-is-a-different-thing dept.

nine-times writes "After many years in IT, I've been surprised to notice how much of my traffic is still unencrypted. A lot of businesses that I interact with (both business and personal) are still using unencrypted FTP, and very few people use any kind of encryption for email. Most websites are still using unencrypted HTTP. DNSSEC seems to be picking up some steam, but still doesn't seem to be widely used. I would have thought there would be a concerted effort to move toward encryption for the sake of security, but it doesn't seem to be happening. I wanted to ask the Slashdot community, what do you think the hold up is? Are the existing protocols somehow not good enough? Are the protocols fine, but not supported well enough in software? Is it too complicated to manage the various encryption protocols and keys? Is it ignorance or apathy on the part of the IT community, and that we've failed to demand it from our vendors?"

19 of 660 comments (clear)

  1. Costs? by tsj5j · · Score: 4, Insightful

    Isn't it the case in enterprises where they would rather keep things status quo instead of adding additional layers of (potential) problems? I believe they won't convert unless there's sufficient financial (dis)incentive to do so.

    1. Re:Costs? by Lord+Ender · · Score: 4, Insightful

      It's key management and distribution, not cost. The costs are very low. Training everyone to exchange S/MIME keys, for example, is just too damn hard.

      When email clients can automatically look up other peoples' certificates using DNS, then encryption will hit the main-stream.

      (Oh, and bass-ackward companies like Apple are also holding back encryption. The iPhone can't do Secure Email after all this time? Really, Apple? Really?)

      --
      A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
    2. Re:Costs? by characterZer0 · · Score: 4, Insightful

      Option 1: Allow clueless customers to send sensitive data via FTP. Keep customers. Make money.

      Option 2: Require clueless customers so send sensitive data via SFTP. Lose customers. Lose money.

      --
      Go green: turn off your refrigerator.
  2. Self-signed is no good. by Anonymous Coward · · Score: 5, Insightful

    Maybe when getting a server cert is free/easy people will do it defacto. but right now it's either shell out for an SSL cert or greet every traveller with the "omg this site has a self-signed cert!!!oneone" browser warning.

    1. Re:Self-signed is no good. by Cimexus · · Score: 4, Insightful

      Agreed.

      Also I'd argue that there's no real need for the majority of HTTP traffic to be encrypted anyway. Certainly anything that's a 'two way' kind of site should use encryption (anything that allows users to post stuff, or allows/requires them to sign in) is probably wise to encrypt, but for standard 'read only' websites where anyone can just read stuff, why bother encrypting? Even Slashdot doesn't require HTTPS connections for anything other than the sign-in process - again because there's no point encrypting things that are not usernames/passwords/sensitive information.

      HTTPS has a significant performance overhead too, which is worth keeping in mind.

      This applies to email as well, in a way. For the average user that just wants to fire up their Thunderbird/Outlook Express/other mail client of choice, getting an cert (e.g. from Thawte) is just too difficult. It needs to be seamless and built-in before the masses will use it.

    2. Re:Self-signed is no good. by R2.0 · · Score: 5, Funny

      "With a 15 Mbit residential connection and a 2Ghz processor, I find it hard to believe that the performance drop will matter...to me.

      To the server, maybe.

      Oh, and what's wrong with a self-signed cert? The data is still encrypted, isn't it? "

      You flew in a private jet to Congressional hearings, didn't you?

      --
      "As God is my witness, I thought turkeys could fly." A. Carlson
    3. Re:Self-signed is no good. by schnablebg · · Score: 5, Interesting

      Actually /. does not make it even possible to login via HTTPS, at least with Javascript turned on. The Totally Sweet Javascript popup they use for login is sent over plain HTTP, because it is not possible to POST to HTTPS via Javascript due to the same origin policy in browsers. If it is possible to get an HTTPS login page on /., I can't figure out how to do it.

    4. Re:Self-signed is no good. by FrozenGeek · · Score: 4, Insightful

      There is a good reason for the majority of HTTP traffic to be encrypted: Deep Packet Inspection. If you want to stop your ISP, your government, etc, from using DPI, the most effective way to do so is to negate the value of it. HTTPS negates the value of DPI.

      Personally, I hate the idea of DPI from a matter of principle. Therefore, I like HTTPS.

      --
      linquendum tondere
  3. I have encrypted this post by fridaynightsmoke · · Score: 5, Insightful

    I have encrypted this post as my contribution to making encryption more widespread.

    Here you go:
    kkjkjGHIUgibilhjGHLiubhjbiu78HVji67gfUKGHVuygjh VljhbvolygILJKbIyugIJbikhjbKJBkbvkjnfJ.a,mx jchkdjqJiufhpi9fu{ywe9f8iunsiochjaijkcs

    The fun part is that the (UK) cops can demand a decryption key for that, and lock me up when I inevitably fail to provide one....

    --
    This is a substitute for a clever sig that fits within the maximum number of characters.
  4. Signed certificates by Spazmania · · Score: 4, Insightful

    Signed certificates are holding up encryption. Opportunistic encryption doesn't happen if it has to be carefully pre-planned.

    Yes, unsigned encryption is vulnerable to MITM. So what? It protects against the far more common traffic sniffing and a plethora of other attacks.

    --
    Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
  5. I'll tell you what it is... by multipartmixed · · Score: 5, Interesting

    ...encrypted communications are too bloody hard to debug!

    With unencrypted protocols, I can whip out the packet sniffer and find out *exactly* what's going on. With encrypted protocols, I have to write reports like "we have verified our software configuration and believe it to be correct; perhaps the problem is at your end?"

    Maybe we need to come up with a standard way of encrypting things, that our packet sniffers somehow know how to decode. Maybe even with a "relax the crypto" configuration flag we can throw during debug.

    --

    Do daemons dream of electric sleep()?
  6. Inertia by grub · · Score: 5, Insightful


    What's Holding Back Encryption?

    Simple: INERTIA.

    Remember back in the day when the OpenBSD guys said Enough Already and pretty much dropped telnet, rsh, rcp, rlogin, etc. for the SSH suite of tools? Yeah, a bit of growing pains at the time but no one would want to go back. It took some time but finally other open source projects followed suit.

    People are lazy, if there's no push to change most won't no matter what benefit the change offers.

    --
    Trolling is a art,
    1. Re:Inertia by Anonymous Coward · · Score: 5, Insightful

      I can second that. A few years ago I was working as a database / web programmer for a company when my boss for small intranet applications group decided that all internal applications should run over SSL/TLS. Most of the business applications didn't convey any sensitive information, but some exposed personal information as customer name, address, bank routing number, social security number, phone numbers, etc. The internal network was all switched Ethernet, of course, but just about everyone was switching over to laptops with WiFi, which does carry a certain risk of packet sniffing. We switched over to HTTPS in the test system to find out that the image server run by another group didn't support it. This meant that our users would have either had to see a lot of warning messages about "insecure" elements on the page or either turn down IE's already lax security settings so much they wouldn't ever get any meaningful warnings. Since the group that served up images didn't care at all about encryption and wouldn't budge, the initiative was scrapped.

      What should have been a nearly trivial process was shot down for lack of caring.

  7. Why? by FlyByPC · · Score: 4, Funny

    For most of the Web surfing that I do, full https encryption simply isn't needed. Why do I need encryption (which adds another quite significant protocol layer) to surf Slashdot or CNN or xkcd?

    OK, granted, I probably should use encryption or TOR for that last one or the 'raptors will catch on. But other than that... why?

    --
    Paleotechnologist and connoisseur of pretty shiny things.
  8. HTTP(S)? Marketing/profitability & IPv4 by GiMP · · Score: 4, Interesting

    First, keep in mind that name-based virtual hosting with HTTPS is very limited. With few exceptions, you're quite restricted in your ability to host multiple SSL-encrypted sites on a single IP address. Most often, one must instead assign each SSL-encrypted virtualhost to a dedicated IP address. If every website was, today, to switch to HTTPS-only operation, and if the RIRs were to allow it, we would immediately run out of IPv4 addresses. You can argue that we should instead be using IPv6, and I might agree, but we're simply not there yet.

    Secondly, performance is a major consideration for many companies. This is especially true for internet marketing & advertising efforts, for whom every millisecond matters in their ability to serve their content. Advertisers are unlikely to prefer SSL over unencrypted content. Worse, marketers are those most likely to desire poor security practices in order to gather information and track users, while also being those that provide means of financial sustainability for many sites. That is, if the marketing companies won't go for it, the companies being paid by the marketing companies won't go for it.

    Thirdly, cookies and other domain-specific security measures may not be functional via HTTPS, depending on the browser's security configuration. Some browsers provide warnings or block unencrypted content sourced by encrypted pages, or originating from another domain. These security profile of the browser may be much different for SSL-protected sites than for unencrypted pages. Ultimately, this would prevent, discourage, and limit advertising efforts which (again) drive the sustainability of many sites.

  9. Re:encryption alone by Ephemeriis · · Score: 4, Insightful

    is not the whole solution.

    This.

    I'm fairly certain Blizzard uses some kind of encryption on their database. Probably doesn't send passwords in cleartext. But accounts still get compromised left and right. Not because the encryption is failing, but because people set stupid passwords and share them with friends.

    The same thing is true of banking websites, and PINs, and logins to the corporate network, and whatever else. The weakest link isn't whether your data/authentication/network/connection/whatever is encrypted... The weakest link is the person sitting in front of the terminal. And as long as you've got users who'll click on random executables and use their kid's name as a password and share their credentials with someone else, encryption isn't really going to get you very far.

    Sure, it'd help... It'd be another layer of protection. Another bit of security. I'm not saying that people shouldn't use encryption... But when you're looking at where to spend money, and what effort is going to get you the most impact, encryption isn't necessarily it.

    --
    "Work is the curse of the drinking classes." -Oscar Wilde
  10. People don't see the value by Sloppy · · Score: 4, Insightful

    It costs a nonzero amount to get a certificate at all, and a self-signed certificate is barely better than raw http.

    To answer the original question, the thing holding back encryption is the above mistaken attitude, that using a self-signed cert is barely better than using plaintext.

    There won't be a push for improving the cert system (e.g. by moving to an OpenPGP WoT or something) until more people are encrypting, And people won't be encrypting until they get over their foolish attitude that it's pointless to force attackers to use MitM instead of passive snooping.

    When more people start to realize that it's a good idea to force their opponents into doing expensive and risky things, then they will choose to do that and start to use (poorly-authenticated) key exchange. Once encryption with poorly-authenticated key exchange becomes more common, people will start to see a benefit to improving their authentication, so they'll attend more key-signing parties, or exert market forces within crippled single-signer systems to have cheaper CAs, or whatever.

    --
    As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
  11. I can only answer for myself by obarthelemy · · Score: 4, Interesting

    But I'm not really using encryption because

    1- I don't have much of value to encrypt. Clearly, that's not the case for everyone, but encrypting my to-do list, address book, birthday list, and pathetic attempts at programming seem very much overkill.
    2- I don't feel confident I would do encryption right. I COULD encrypt my password list, but right now it's on a piece of paper hidden somewhere. If it were on my PC or cellphone, even encrypted, I'm not confident that i would be using a secure encryption method, nor that it wouldn't be short-circuited by a trojan/keylogger
    3- I'm afraid I'll get encrypted out of my data. A few times a year, I have to clean up my HD and recover broken files. What happens when the files are encrypted on top of it ? Any way to recover them ?
    4- Is encryption reliable ? what if I can't recover my data after I encrypted it ?
    5- I'm not sure what programs I should use. Windows has some basic stuff, then there's PGP, Truecrypt...

    --
    The Cloud - because you don't care if your apps and data are up in the air.
  12. Re:encryption alone by Ephemeriis · · Score: 4, Insightful

    No measure or countermeasure is ever 100%, but in your disgruntled employee scenario, if you know what the confidential information is, you could use some mix of Rights Management Software... as well as the blocking of file types (say, .png, .jpg, .gif screenshots) from exiting the internal network... as well as preventing USB drive access, etc... and a lock on the computer case. So now the disgruntled employee would have to walk out the door with the computer

    Or press CTRL+P... Or snap a picture with their cell phone... Or write the information down on a post-it note... Or call someone up and read the information off to them over the phone... Or just remember enough important information to share it with someone else...

    Again, it might not be 100%, but depending on how many 9's you need to put next to your certainty that no confidential data can leave the network, and how much the business is willing to pay to implement it, you can have a fair amount of data protection. You're definitely not helpless to the whims and malice of your users.

    The problem isn't in somehow constraining your data from leaving the network. The problem is in keeping the information from leaving the company.

    Corporate espionage and whistleblowers and whatever else existed long before digital computers did.

    Which is my whole point - no amount of technology is going to prevent a user from leaking information that they have legitimate access to in the course of their work.

    You can reduce the impact of accidental leaks... You can block out viruses and keyloggers and whatnot... You can make it hard for someone who isn't supposed to have access to your data...

    But the easiest vector of attack has always been the person behind the terminal.

    And implementing all sorts of high-tech security isn't going to make it any harder to exploit that weakest link.

    If you can bribe a user, or trick them into clicking something they shouldn't, or convince them to trust you, or whatever - you can get access to their data. Regardless of the security measures put in place.

    --
    "Work is the curse of the drinking classes." -Oscar Wilde