Slashdot Mirror

← Back to Stories (view on slashdot.org)

What's Holding Back Encryption?

Posted by CmdrTaco on from the cypher-sex-is-a-different-thing dept.

nine-times writes "After many years in IT, I've been surprised to notice how much of my traffic is still unencrypted. A lot of businesses that I interact with (both business and personal) are still using unencrypted FTP, and very few people use any kind of encryption for email. Most websites are still using unencrypted HTTP. DNSSEC seems to be picking up some steam, but still doesn't seem to be widely used. I would have thought there would be a concerted effort to move toward encryption for the sake of security, but it doesn't seem to be happening. I wanted to ask the Slashdot community, what do you think the hold up is? Are the existing protocols somehow not good enough? Are the protocols fine, but not supported well enough in software? Is it too complicated to manage the various encryption protocols and keys? Is it ignorance or apathy on the part of the IT community, and that we've failed to demand it from our vendors?"

7 of 660 comments (clear)

  1. Self-signed is no good. by Anonymous Coward · · Score: 5, Insightful

    Maybe when getting a server cert is free/easy people will do it defacto. but right now it's either shell out for an SSL cert or greet every traveller with the "omg this site has a self-signed cert!!!oneone" browser warning.

    1. Re:Self-signed is no good. by R2.0 · · Score: 5, Funny

      "With a 15 Mbit residential connection and a 2Ghz processor, I find it hard to believe that the performance drop will matter...to me.

      To the server, maybe.

      Oh, and what's wrong with a self-signed cert? The data is still encrypted, isn't it? "

      You flew in a private jet to Congressional hearings, didn't you?

      --
      "As God is my witness, I thought turkeys could fly." A. Carlson
    2. Re:Self-signed is no good. by schnablebg · · Score: 5, Interesting

      Actually /. does not make it even possible to login via HTTPS, at least with Javascript turned on. The Totally Sweet Javascript popup they use for login is sent over plain HTTP, because it is not possible to POST to HTTPS via Javascript due to the same origin policy in browsers. If it is possible to get an HTTPS login page on /., I can't figure out how to do it.

  2. I have encrypted this post by fridaynightsmoke · · Score: 5, Insightful

    I have encrypted this post as my contribution to making encryption more widespread.

    Here you go:
    kkjkjGHIUgibilhjGHLiubhjbiu78HVji67gfUKGHVuygjh VljhbvolygILJKbIyugIJbikhjbKJBkbvkjnfJ.a,mx jchkdjqJiufhpi9fu{ywe9f8iunsiochjaijkcs

    The fun part is that the (UK) cops can demand a decryption key for that, and lock me up when I inevitably fail to provide one....

    --
    This is a substitute for a clever sig that fits within the maximum number of characters.
  3. I'll tell you what it is... by multipartmixed · · Score: 5, Interesting

    ...encrypted communications are too bloody hard to debug!

    With unencrypted protocols, I can whip out the packet sniffer and find out *exactly* what's going on. With encrypted protocols, I have to write reports like "we have verified our software configuration and believe it to be correct; perhaps the problem is at your end?"

    Maybe we need to come up with a standard way of encrypting things, that our packet sniffers somehow know how to decode. Maybe even with a "relax the crypto" configuration flag we can throw during debug.

    --

    Do daemons dream of electric sleep()?
  4. Inertia by grub · · Score: 5, Insightful


    What's Holding Back Encryption?

    Simple: INERTIA.

    Remember back in the day when the OpenBSD guys said Enough Already and pretty much dropped telnet, rsh, rcp, rlogin, etc. for the SSH suite of tools? Yeah, a bit of growing pains at the time but no one would want to go back. It took some time but finally other open source projects followed suit.

    People are lazy, if there's no push to change most won't no matter what benefit the change offers.

    --
    Trolling is a art,
    1. Re:Inertia by Anonymous Coward · · Score: 5, Insightful

      I can second that. A few years ago I was working as a database / web programmer for a company when my boss for small intranet applications group decided that all internal applications should run over SSL/TLS. Most of the business applications didn't convey any sensitive information, but some exposed personal information as customer name, address, bank routing number, social security number, phone numbers, etc. The internal network was all switched Ethernet, of course, but just about everyone was switching over to laptops with WiFi, which does carry a certain risk of packet sniffing. We switched over to HTTPS in the test system to find out that the image server run by another group didn't support it. This meant that our users would have either had to see a lot of warning messages about "insecure" elements on the page or either turn down IE's already lax security settings so much they wouldn't ever get any meaningful warnings. Since the group that served up images didn't care at all about encryption and wouldn't budge, the initiative was scrapped.

      What should have been a nearly trivial process was shot down for lack of caring.