Re: Revised LINK -07 now online

From: Lloyd Wood (l.wood@eim.surrey.ac.uk)
Date: Mon Nov 26 2001 - 17:30:02 EST

Next message: Dan Grossman: "Re: Revised LINK -07 now online"
Previous message: John Border: "Re: "rwnd control" as a PEP mechanism"
In reply to: Dan Grossman: "Re: Revised LINK -07 now online"
Next in thread: Dan Grossman: "Re: Revised LINK -07 now online"
Reply: Dan Grossman: "Re: Revised LINK -07 now online"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 26 Nov 2001, Dan Grossman wrote:

> There are other sites that don't but should. For example, several sites that
> I use regularly do not use SSL for passwords. I've complained, but it's like
> complaining to a brick wall. A particularly annoying one is a site which
> partners with my (personal) ISP to allow me to tunnel email through HTTP and
> HTML. No use of SSL at all, even for password. Lloyd suggests not using
> them.

see below.

> I don't make it a point to cut off my nose to spite my face: there are
> times when the alternative is no access to personal email at all.
[..]

so you've evaluated the risks and you judge them acceptable. as anyone
else can do.

> Perhaps one point that I've tried, but failed, to get across in this debate
> has been that perfect security is obtained only by not trying to communicate.

that was exactly the point I was making to you. If you know a site you
use regularly is insecure, do not communicate with it... voila, you
have achieved perfect security with respect to that site.

Simple, no?

> The challenge is to see to it that mechanisms are proportionate to the assets
> being protected and the perceived threats to those assets.

in the global commons of an internetworked environment, that statement
becomes bunk. For example, an open mail relay does not pose much of a
problem to colocated assets that it normally delivers mail to, but to
everyone else on the planet as forged spam surges through it, even
though everyone else's assets don't show up on your balance sheet.

(unless, of course, you're treating intangibles like your reputation
as assets, so being real-time-blackholed would be the perceived
threat to be protected against.)

Remember that any shared link is a (privileged/limited/scope/local)
commons; as an asset the link itself generally has little intrinsic
value - it's merely an access mechanism - and the value of the asets
on the local subnetwork is as nothing compared to the value of the
internetwork as a whole.

Claude Bastiat's "What is seen and not seen" is imo a far more
perceptive and relevant take on the whole thing than a limited-scope
military/commercial asset-protection doctrine, and has a far better
sense of proportion.

<L.Wood@surrey.ac.uk>PGP<http://www.ee.surrey.ac.uk/Personal/L.Wood/>

Next message: Dan Grossman: "Re: Revised LINK -07 now online"
Previous message: John Border: "Re: "rwnd control" as a PEP mechanism"
In reply to: Dan Grossman: "Re: Revised LINK -07 now online"
Next in thread: Dan Grossman: "Re: Revised LINK -07 now online"
Reply: Dan Grossman: "Re: Revised LINK -07 now online"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Mon Jan 28 2002 - 09:12:29 EST