Zdroje informací pro profesionály v oboru IT >
Domovská stránka fór
>
End to End Trust
>
How and why have the prior attempts at building security into the Internet failed to achieve high user-adoption rates?
How and why have the prior attempts at building security into the Internet failed to achieve high user-adoption rates?
- What have the previous attempts at building security into the Internet been? (S/MIME, OpenPGP, SSL/TLS client authentication, DNSSEC, IPsec, kerberos, what others?) What have the essential characteristics of each been? What has been put into place, in each case, to mitigate the lack of adoption? What have people needed to do to implement them, that they haven't done?Who have been involved with these prior attempts? Who had the money to throw at these prior attempts? Who had economic motivation to research it?When were the prior attempts made? When were they standardized? How long have they been standardized?Where have the prior attempts been made? Where have the highest adoption rates for each technology been? Where have the lowest adoption rates been?How have the previous attempts at building security into the Internet failed to achieve high user-adoption rates?Why have they failed to achieve high user-adoption rates?To sum up the query of this post: What have the prior attempts done wrong?
Všechny reakce
- They are a product with no demand. Most people don't understand enough to care. Or to be fairer, in their personal risk assessments the consequence of unauthorised people reading their email is assessed as low, so the time and expense they are willing to expend to provide more security is minimal.
People accept the fact the once email/data leaves their sphere of control it is in an insecure domain. I don't see how anything can change that. - Its because people want everything to be convenient and cheap.
- Navržen jako odpověďmotherboardlove 20. října 2008 0:04
- Cost and complexity. People want things to be easy. They want the internet to be safe, but only if it means they aren't the ones actually taking any action to make that happen. Think of AOL. How did AOL sell itself as an ISP to people with broadband? They did it by making the internet easier with keywords and customizable home pages. People were willing to throw money at that convenience.
- I agree with Nathan, as many folks take the easiest approach and may not be aware of security risks. However, for large companies security is now recognized as a business requirement. Customer information must be protected. Many standards now have extensive security controls required (PCI, Sarbanes-Oxley, HIPAA, SAS-70). Security will require more work, less convenience, and more costs. Being safe on the Internet is something every user should think about and strive for.
- Why have they failed to achieve high user-adoption rates?To sum up the query of this post: What have the prior attempts done wrong?
One possible answer: they were only technologies and they were technologies that were not particularly well aligned with economic, social and legal forces. DNSSEC is an interesting case in point. It languished unloved for years. Now it seems to be moving toward rapid adoption. Why now? DNSSEC is now in alignment with these social-economic factors. Criminals are now using DNS to attack users (spoofing and pharming attacks), big buyers of IT products and services are demanding support for DNSSEC (e.g the US Government) etc.
How do we align technology with these non-technological forces to make the internet a better place?
- One more idea to consider is that security is not emphasized enough in many college or technical schools . The focus of an IT curriculum often leaves out key design or end-user safety training (at least I've found that true in my own experiences).
Maybe, this trend is changing with the increase in malicious attacks. Security awareness is a vital principle that will help users stay safe, along with with security defense systems. Hello everyone.
Many users have heard or read on certificates and digital signatures for its complexity perhaps they leave the desire to know more about the subject. It is matter of education no doubt, but who "explains" must do it in a clear and objective.
- The simple answer is cost. What does it cost to secure an exchange? How much does it cost for the certificates to use the security that is now available? How many email servers are even set up to allow secure authentication and encryption even if the end users are aware that such an option exists?
The simple solution is to make certificates mandatory for all email users so that digital signatures and encryption can be enabled. This would be a pain for many users, but the main benefit will be the dramatic reduction in SPAM. Those that send SPAM are unlikely to get certificates for every email address they need to acquire to continue plaguing everyone and the few that persist will be traceable by their certificate. Casual anonymity may still be assured as long as internet service providers do not provide personal information to inquires except by court order. The certificate issuers link their certificates to specific email addresses and do not provide personal information in the certificate without the request of the applicant. So the privacy issue remains with the internet service providers.
The only other problem is to enable servers to use SSL as every browser I have used allows SSL encryption. A requirement to enable SSL for everything sent over the internet will minimize, if not eliminate, any security issues with data transfers.
In summary, if everything that is transmitted over the internet requires some level of encryption, then the problems of casual interception and perversion of traffic on the internet will be minimized.
I evision private intranets as not being changed although businesses may wish to upgrade to a secure intranet. Modems will need to be upgraded to put a layer of encryption around all packets sent and received. This layer of encryption will be decrypted at each server and a new layer of encryption will be used until it is received at its intended destination where it will be sent, in the clear, from the modem to the end user's computer or intranet. In this way, the end user need not even be aware of this added layer of encryption. Of course the end user may also include other layers of security by encrypting the signed emails or encrypting other traffic that is sent over the internet.
As the costs associated with SPAM emails are diverted into security, the secure offerings by ISP or third party venders should raise the overall level of internet security for everyone, even the users of the free email services and free certificate issuers. - james,
Spam is the least of the internet's problems. I dont know if you are reading any cyber reports lately but the US is failing misserably in cyberspace. EFTs, provisioning, and man power to defend have been traded out for one shiny solution after another with the promise of application lock-in and rising costs. I tend to be biased to american business especially where public safety and trust are concerned but not one american business has missed any oportunities to avail themselves of the full advantage once their foot was in the door. Cicso's webEx sends a checksum offload that in a LAN sandbox then propagates to some active directory functions. Microsoft products push buffers and memory clean-up laziness to the point where you must/need to connect to the fog. Almost 90% of all American/European software has some .NET backdoor, rootkit, DLA marketing treble hook, keylogger, or self detination timmer keeping all of us on the cyber hamster wheel. Public trading used to be watching the ticker tape. Today, stock market storm troopers units have the arteries of today's business on remote detonators set to use at precise times where it will bolster their holdings in competing industries. All the while keeping the democratic process addicted to the payoffs and re-election campaigns. Vern's latter book about a mega-media giant ruling the world is unfolding before our time. Not to deliberately sound harsh but 2b|!2b(.) Spam... hmmmm. Think or swim.
Pappkartoosh
Just another speck in a fibernachi sequence of stars about to be reordered by Andromeda
