Re: How secure is SSL emails?
From: David Wagner (daw_at_taverner.cs.berkeley.edu)
Date: Thu, 1 Jul 2004 22:05:21 +0000 (UTC)
Vernon Schryver wrote:
>David Wagner <email@example.com> wrote:
>> * does the right thing with 4.BSD derivatives and Solaris 2, but
>> * may occasionally miss source routing options on incompatible
>> * systems such as Linux. Their choice.
>>This illustrates some of the pitfalls of unsafe defaults and the risks
>>of blacklisting bad options rather than whitelisting known good options.
>I disagree and say that it illustrates the pitfalls of trying to write
>portable code, and the major dangers in trying to write portable code
>with security implications.
Yes, that too. The point is that enabling source routing increases
the number of things that can go wrong in your software. It increases
the size and complexity of your trusted computing base and thereby increases
the likelihood of software bugs that compromise security. Taking on those
kinds of additional risks is not prudent engineering practice.
>Your reasoning is based on the premise that source routing is a security
>risk without any value. Given that premise, of course you are right.
Well, that's not quite my premise, although it is pretty close; I
believe the benefits are small, while the risks are large and often
underestimated. You might disagree with that assessment, and that's
your prerogative. Still, you should recognize that the problem is more
subtle than you seem to have acknowledged. Part of the issue is that
the people who incur the risks (if source routing is enabled) are not
the ones who accrue the benefits.
You're trying to argue that everyone else should enable source routing, so
that you run 'traceroute -G'. But why should everyone else be required
to take on security risks with no benefit to them? If some generous
souls want to provide that resource to the community and deal with the
associated security risks, that's their right -- but if others don't
want to make that tradeoff, that's also their right, too.