Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

What's Holding Back Encryption?

CmdrTaco posted more than 4 years ago | from the cypher-sex-is-a-different-thing dept.

Encryption 660

nine-times writes "After many years in IT, I've been surprised to notice how much of my traffic is still unencrypted. A lot of businesses that I interact with (both business and personal) are still using unencrypted FTP, and very few people use any kind of encryption for email. Most websites are still using unencrypted HTTP. DNSSEC seems to be picking up some steam, but still doesn't seem to be widely used. I would have thought there would be a concerted effort to move toward encryption for the sake of security, but it doesn't seem to be happening. I wanted to ask the Slashdot community, what do you think the hold up is? Are the existing protocols somehow not good enough? Are the protocols fine, but not supported well enough in software? Is it too complicated to manage the various encryption protocols and keys? Is it ignorance or apathy on the part of the IT community, and that we've failed to demand it from our vendors?"

cancel ×

660 comments

Sorry! There are no comments related to the filter you selected.

encryption alone (2, Insightful)

bugs2squash (1132591) | more than 4 years ago | (#30808764)

is not the whole solution.

Re:encryption alone (1)

leuk_he (194174) | more than 4 years ago | (#30809090)

Yes it is, but key management and trust is part of the solution and not very simple. You need some kind of authority to centrally manage the keys. improper key management will only give a false sense of security.

PS "Yes but" is the same as "no unless"

Re:encryption alone (4, Insightful)

Ephemeriis (315124) | more than 4 years ago | (#30809310)

is not the whole solution.

This.

I'm fairly certain Blizzard uses some kind of encryption on their database. Probably doesn't send passwords in cleartext. But accounts still get compromised left and right. Not because the encryption is failing, but because people set stupid passwords and share them with friends.

The same thing is true of banking websites, and PINs, and logins to the corporate network, and whatever else. The weakest link isn't whether your data/authentication/network/connection/whatever is encrypted... The weakest link is the person sitting in front of the terminal. And as long as you've got users who'll click on random executables and use their kid's name as a password and share their credentials with someone else, encryption isn't really going to get you very far.

Sure, it'd help... It'd be another layer of protection. Another bit of security. I'm not saying that people shouldn't use encryption... But when you're looking at where to spend money, and what effort is going to get you the most impact, encryption isn't necessarily it.

Costs? (4, Insightful)

tsj5j (1159013) | more than 4 years ago | (#30808766)

Isn't it the case in enterprises where they would rather keep things status quo instead of adding additional layers of (potential) problems? I believe they won't convert unless there's sufficient financial (dis)incentive to do so.

Re:Costs? (1)

McNihil (612243) | more than 4 years ago | (#30809078)

Reading confidential corporate emails in plain text where it is not supposed to be is not incentive enough?

and

IMHO Anyone still using FTP for material that isn't completely open nor "in-"sensitive should get a corporate slap on their foreheads and rightfully be labeled idiots.

Re:Costs? (-1, Troll)

Anonymous Coward | more than 4 years ago | (#30809174)

What's holding back encryption? This reminds me of a joke. What has 100 teeth and holds back a BIG monster? My zipper! 'cuz I have a nigger cock.

From Uncyclopedia: [wikia.com]

Historically, whites have referred to those of other races by different Colors. The dark brown people are black, the deeply tanned are red, the not quite as pale but certainly still rather pale are yellow, etc. Jews are blue, named after the color of the lights they hang on their Christmas trees. Arabs are purple, because they are all homosexuals. Mexicans are pink, because they are part-white and part-American Indian. Those not able to be categorized are black because they are the biggest racists of all. Those named after primary colors are better than those named for mixed colors. White is best, because it is pure. White people are colored. Color White is combination of all colors both primary and secondary. Like monkeys. Monkeys are all the colors too. Like gold. Whites have gold hair. Serengeti monkeys have gold hair too. That is soooo weird! Pure gold (though, that is also kind of colored yellow as well...). Black sucks. It is the absence of all colors. So black people are not colored at all. but whites are all colors. Weird!!!

Re:Costs? (3, Insightful)

DarkOx (621550) | more than 4 years ago | (#30809264)

I am not sure I agree. We have alot files XML, and flat that get exchanged between our midrange system and serveral of our WinTel and Linux servers. They are on the same lan seqment in the same locked room. The replication to the hot site for these machines is encrypted; because I can't know my DS3 is not being spied on.

I don't say an reason why these machines need to use encyption to talk amongst themselves. Anyone who has access to one is trusted to have access on them all; anyone who is premitted to be in the room where they would have pyasical access is trusted. All encryption would add is additional mantainance; more overhead; and more to go wrong.
Why would we do that?

Re:Costs? (4, Insightful)

Lord Ender (156273) | more than 4 years ago | (#30809082)

It's key management and distribution, not cost. The costs are very low. Training everyone to exchange S/MIME keys, for example, is just too damn hard.

When email clients can automatically look up other peoples' certificates using DNS, then encryption will hit the main-stream.

(Oh, and bass-ackward companies like Apple are also holding back encryption. The iPhone can't do Secure Email after all this time? Really, Apple? Really?)

More direct costs. (2, Insightful)

SanityInAnarchy (655584) | more than 4 years ago | (#30809086)

It costs a nonzero amount to get a certificate at all, and a self-signed certificate is barely better than raw http.

It also costs a nonzero amount in server CPU usage and/or dedicated hardware to do the crypto itself, especially the https sessions. For example, Google App Engine will handle the SSL for you for free, using a wildcard cert for *.appspot.com, but the crypto does count towards your CPU quotas.

These two factors suggest that it makes sense for crypto to be used only where needed, rather than using it everywhere we can. Combine that with corporate sluggishness to approve any spending, and you can imagine why even where it is needed, it can be an uphill battle to get it actually adopted.

Re:More direct costs. (1)

sqlrob (173498) | more than 4 years ago | (#30809268)

In the enterprise, it's a near zero cost because they can set up an internal CA and churn out certs. Policy can push the root cert into the clients.

Self-signed is no good. (5, Insightful)

Anonymous Coward | more than 4 years ago | (#30808780)

Maybe when getting a server cert is free/easy people will do it defacto. but right now it's either shell out for an SSL cert or greet every traveller with the "omg this site has a self-signed cert!!!oneone" browser warning.

Re:Self-signed is no good. (4, Insightful)

Cimexus (1355033) | more than 4 years ago | (#30808896)

Agreed.

Also I'd argue that there's no real need for the majority of HTTP traffic to be encrypted anyway. Certainly anything that's a 'two way' kind of site should use encryption (anything that allows users to post stuff, or allows/requires them to sign in) is probably wise to encrypt, but for standard 'read only' websites where anyone can just read stuff, why bother encrypting? Even Slashdot doesn't require HTTPS connections for anything other than the sign-in process - again because there's no point encrypting things that are not usernames/passwords/sensitive information.

HTTPS has a significant performance overhead too, which is worth keeping in mind.

This applies to email as well, in a way. For the average user that just wants to fire up their Thunderbird/Outlook Express/other mail client of choice, getting an cert (e.g. from Thawte) is just too difficult. It needs to be seamless and built-in before the masses will use it.

Re:Self-signed is no good. (0)

OrangeCatholic (1495411) | more than 4 years ago | (#30809050)

I mostly agree with that, but I wouldn't mind read-only sites being encrypted as well. The way I see it, we're at a point now where all digital communications should be encrypted. Just how steep is the performance drop from HTTPS? With a 15 Mbit residential connection and a 2Ghz processor, I find it hard to believe that the performance drop will matter...to me.

To the server, maybe.

Oh, and what's wrong with a self-signed cert? The data is still encrypted, isn't it?

The web was built largely because people made websites for others out of the kindness of their hearts. From that, it's not a big step to turn on https.

Re:Self-signed is no good. (5, Funny)

R2.0 (532027) | more than 4 years ago | (#30809120)

"With a 15 Mbit residential connection and a 2Ghz processor, I find it hard to believe that the performance drop will matter...to me.

To the server, maybe.

Oh, and what's wrong with a self-signed cert? The data is still encrypted, isn't it? "

You flew in a private jet to Congressional hearings, didn't you?

Re:Self-signed is no good. (2, Informative)

schon (31600) | more than 4 years ago | (#30809144)

what's wrong with a self-signed cert? The data is still encrypted, isn't it?

It's still encrypted, but the question is by whom? What's the point of encrypting something if you can't be sure that the person you're talking to is the same person who encrypted it?

Re:Self-signed is no good. (5, Interesting)

schnablebg (678930) | more than 4 years ago | (#30809132)

Actually /. does not make it even possible to login via HTTPS, at least with Javascript turned on. The Totally Sweet Javascript popup they use for login is sent over plain HTTP, because it is not possible to POST to HTTPS via Javascript due to the same origin policy in browsers. If it is possible to get an HTTPS login page on /., I can't figure out how to do it.

Re:Self-signed is no good. (3, Informative)

danpritts (54685) | more than 4 years ago | (#30809194)

Startcom [startcom.org] offers free ssl certs and they are in all the browser roots now (although only recently added by microsoft).

that said, encryption of web traffic adds two significant bits of overhead:

  • encryption takes CPU time. on busy web sites this really adds up.
  • by default, most browsers won't cache anything that is ssl-encrypted. This really adds up too. Browsers warn you if some elements on an encrypted page aren't encrypted, so you can't mix elements easily.

Re:Self-signed is no good. (0)

Anonymous Coward | more than 4 years ago | (#30809242)

StartSSL is now providing free SSL certificates that actually work.

Because nothing bad... (1)

Chysn (898420) | more than 4 years ago | (#30808790)

...could possibly happen to me. That's it. Perceived risk versus perceived effort.

I have encrypted this post (5, Insightful)

fridaynightsmoke (1589903) | more than 4 years ago | (#30808794)

I have encrypted this post as my contribution to making encryption more widespread.

Here you go:
kkjkjGHIUgibilhjGHLiubhjbiu78HVji67gfUKGHVuygjh VljhbvolygILJKbIyugIJbikhjbKJBkbvkjnfJ.a,mx jchkdjqJiufhpi9fu{ywe9f8iunsiochjaijkcs

The fun part is that the (UK) cops can demand a decryption key for that, and lock me up when I inevitably fail to provide one....

Re:I have encrypted this post (3, Insightful)

PingPongBoy (303994) | more than 4 years ago | (#30809022)

The fun part is that the (UK) cops can demand a decryption key for that, and lock me up when I inevitably fail to provide one

So tell them you were not the encrypter/encoder. You downloaded it. It's the same as people circumventing other hacks, such as the hacks at preventing file sharing - band together with a group of anonymous people. Download each others encrypted data. Obfuscate who the encrypter is, and your own encrypted data can hide.

If this isn't good enough, write a Star Trek story about Klingons. Include plenty of Klingon conversation. Key: kkjkjGHIUgibilh is Blimey! in Klingon. So is jGHLiubhjbiu78HVji67.

Re:I have encrypted this post (1)

Concerned Onlooker (473481) | more than 4 years ago | (#30809104)

"The fun part is that the (UK) cops can demand a decryption key for that, and lock me up when I inevitably fail to provide one"

Yes, encryption won't stop government oppression, but it will slow it down. It's not just the fact that they can still harass one person, it's the fact that with everybody encrypting their communications the government's ability to data mine email and do covert spying on its own citizens becomes much harder.

Re:I have encrypted this post (1)

140Mandak262Jamuna (970587) | more than 4 years ago | (#30809106)

I have encrypted this post as my contribution to making encryption more widespread.

Here you go: kkjkjGHIUgibilhjGHLiubhjbiu78HVji67gfUKGHVuygjh VljhbvolygILJKbIyugIJbikhjbKJBkbvkjnfJ.a,mx jchkdjqJiufhpi9fu{ywe9f8iunsiochjaijkcs

The fun part is that the (UK) cops can demand a decryption key for that, and lock me up when I inevitably fail to provide one....

But what if that post contains the secret formula that would set the pants on fire successfully? You know what kind of danger that would pose to general aviation? So get ready to greet a couple of tall gentlemen in dark suit, dark glasses who speak into the lapels of their coat.

Re:I have encrypted this post (1)

fridaynightsmoke (1589903) | more than 4 years ago | (#30809250)

But what if that post contains the secret formula that would set the pants on fire successfully?

But I thought that a certain T. Blair had the formula for "pants on fire"!

Lack of time. (1)

Smoky D. Bear (734215) | more than 4 years ago | (#30808798)

A lack of time to implement it/management changing priorities... again. I would love to and I had thought that I had convinced management why we needed to (Nothing fancy, just ssl on parts of our web page). Then something blew up. Then something else blew up... and it just wasn't that important to management any more.

Nutshell (0)

Anonymous Coward | more than 4 years ago | (#30808800)

Businesses don't give a shit about encryption because there isn't any accountability on their part.

Your information is stolen? Too fucking bad. That's your problem.

Show me one company that got sued or whatever and had to pay for their stupidity with regards to information being stolen or lost.

Re:Nutshell (1)

Lunix Nutcase (1092239) | more than 4 years ago | (#30808878)

Okay [courant.com] . What do I win?

Signed certificates (4, Insightful)

Spazmania (174582) | more than 4 years ago | (#30808804)

Signed certificates are holding up encryption. Opportunistic encryption doesn't happen if it has to be carefully pre-planned.

Yes, unsigned encryption is vulnerable to MITM. So what? It protects against the far more common traffic sniffing and a plethora of other attacks.

Re:Signed certificates (1)

SanityInAnarchy (655584) | more than 4 years ago | (#30809118)

Yes, unsigned encryption is vulnerable to MITM. So what? It protects against the far more common traffic sniffing...

I wonder if traffic sniffing is far more common because it's easy to do, because we aren't really doing opportunistic encryption?

Re:Signed certificates (3, Insightful)

DavidTC (10147) | more than 4 years ago | (#30809134)

And there are plenty of places that MitM would not be relevant.

For example, email and FTP and other clients where the connection is almost certainly set up manually and repeatedly used (vs. web browsing where people may never return) should be fine with unsigned encryption, as all they need to do is store the cert fingerprint and make a fuss if it changes.

But, yes, this is exactly the point I've been making for years. All TCP/IP connections should be opportunistically encrypted, period. Including web pages. There's no reason not to. No, not even CPU. (If the server load is high enough that it matters, by all means, disable it for that server, but it should still be the default.)

Even if it's not the default, make it easy enough to flip on, so that web designers can flip it on for their password and account pages without having to buy a damn cert and get a new IP and other nonsense.

I just had to set up Thunderbird on a new computer, and I noticed, instead of prompting me what sort of email connection (IMAP or POP3) I had, and making me fill out info, it just asked for the server name, and tried the connection itself, prompting me with the ones it found. But the awesome thing was, it actually suggested using an _encrypted_ connection. So, yay, maybe people will actually start using them. (I wonder how many people check their email without even meaning to, via background processes, over open wifi.)

The interesting thing about SSL is that the cert is not actually needed, at all. You can use a SSL connection without a cert on either side, just like you can use one with a cert on both sides.

Sadly, absolutely nothing seems to support this.

Because it's a PITA - Pain In the Ass! (3, Insightful)

tomhudson (43916) | more than 4 years ago | (#30808812)

  1. It's a pain in the ass to set up - do YOU want to have to configure everyone's email, etc. to use it? I didn't think so.
  2. It's not needed. If I'm sending somethig sensitive, I can just encrypt it and send it as an attachment, and give them the password over the phone.
  3. You're already leaking your sh*t all over the net - and if you use google docs, you're letting an advertising company look at all your information.

Re:Because it's a PITA - Pain In the Ass! (1)

SanityInAnarchy (655584) | more than 4 years ago | (#30809150)

It's a pain in the ass to set up - do YOU want to have to configure everyone's email, etc. to use it?

Yes, actually, if I'm their admin. If I can't do something as simple as reconfigure everyone's email by throwing a switch, I'm probably a lousy admin.

Also only has to be set up once.

You're already leaking your sh*t all over the net

Only if you're careless, which is actually the point of the original question, I think -- why are people so careless about this?

if you use google docs, you're letting an advertising company look at all your information.

Better one advertising company under a contract that doesn't let them do evil stuff with it, than anyone who happens to sniff it, anywhere.

Re:Because it's a PITA - Pain In the Ass! (1)

OrangeCatholic (1495411) | more than 4 years ago | (#30809160)

>It's not needed.

You're clearly not anti-facist. Everybody says "oh, the criminals only go after what's important. Just protect that."

Actually, facists go after the mundane. In Germany it was your name that got you killed. Try encrypting that.

Re:Because it's a PITA - Pain In the Ass! (1)

mr crypto (229724) | more than 4 years ago | (#30809232)

Agreed. People switch between computers at home, work, and public workstations and don't have a universal login to make it 'just work' anywhere. It also definitely suffers from the "if everyone would just use OUR system it would be easy" problem. Try coming up with your own solution and run through setup scenarios for different users (including your mother) and you'll find that there are too many steps. Even just doing authentication is tough to make simple (relies on contacting some central authority).

Re:Because it's a PITA - Pain In the Ass! (1)

Stepnsteph (1326437) | more than 4 years ago | (#30809244)

^ This. Perhaps some people here are lucky enough to know people who are willing to use encryption tools. They don't live in the same world as the rest of us. "It ain't happening" isn't a strong enough way of expressing the situation. I was just barely able to convince someone to install an OTR plugin, and even then they grumble about it. That's just a plugin ffs. Imagine trying to convince people to use shared key encryption for their email. I've tried (I maintain a PGP key for some absurd reason) and the responses were "No" and "Hell no" and derivatives there of.

The closest I was able to get with email encryption was Ciphire Mail. That was a beautiful tool, and it was the easiest thing to ever happen to email encryption. It's a darn shame that they folded.

That is, of course, in regards to every day users. I can't speak for the enterprise level.

Apathy (3, Insightful)

quangdog (1002624) | more than 4 years ago | (#30808814)

I think that much more often than not most folks just use the default settings on their stuff, and at this point nearly all encryption is not something that is set up by default.

While the learning curve for using encryption in email, http, ftp, etc is not all that high, there is enough of one there for most people to just say "meh", even if they understand why they should be using encryption in the first place.

It's like personal home protection for many people - they don't want a gun in the house until after they've been robbed the first time. I'd wager that many people using encryption are doing so because they've been bitten by a lack of encryption in the past.

And pushing it would give false sense of security (3, Insightful)

sznupi (719324) | more than 4 years ago | (#30808912)

Really, most things which should be encrypted - are. There's no reason to push encryption everywhere; especially if it would confuse people and make them think everything is safe just because it's encrypted.

Re:And pushing it would give false sense of securi (1)

aGuyNamedJoe (317081) | more than 4 years ago | (#30809056)

I know -- why don't we all go to travelocity and check on flights to Pakistan, and then start encrypting all our email?

Or maybe someone could develop a web page that will set us up for encrypted email, and check for flights to Pakistan behind the scenes the first time, first...

Then we might have an interesting test of the security of encryption...

Re:And pushing it would give false sense of securi (1)

Sycraft-fu (314770) | more than 4 years ago | (#30809164)

No kidding. I mean using HTTPS for most websites? Why in the hell would you do that? If the site is public, well then that means anyone can look at the information anyhow. What would encrypting it gain?

Also encryption isn't free. It takes CPU time (or dedicated crypto units). This isn't a big deal on client PCs, you tend to have plenty of power, but on servers it can be a problem. You can end up needing to get more power if you are going to do a lot encrypted.

Encryption should be used sensibly, not indiscriminately. If there's a password involved, yes that password needs to be encrypted. If the data is sensitive or private in some way, yes that needs to be encrypted too. However there's no reason to encrypt something that is public anyhow. It's just a waste of resources.

Re:Apathy (1)

tsalmark (1265778) | more than 4 years ago | (#30809044)

Telnet and Rsh are effectively dead. FTP is used primarily on cheap hosting and drop boxes. HTTP is encrypted where it is taken to count - Banking and such. POP IMAP are being encrypted by more and more Large ISP's. Some issues that are solable by encryption are solved otherways (routing and firewalls) Everything can be encrypted but most does not need to be.

Re:Apathy (0)

Anonymous Coward | more than 4 years ago | (#30809062)

Canadians don't want guns in their houses. We learned from our previous primer minister that the only weapon* we need is a plastic spork from KFC.

* In case of missing spork, simply try to strangle the assailant.

There's no reason to encrypt HTTP (1, Insightful)

Anonymous Coward | more than 4 years ago | (#30808816)

There's no reason to encrypt HTTP requests that don't contain personal information.

Re:There's no reason to encrypt HTTP (2, Insightful)

Cthefuture (665326) | more than 4 years ago | (#30808888)

Everything you do online provides personal information in some way.

Re:There's no reason to encrypt HTTP (1)

Pojut (1027544) | more than 4 years ago | (#30809040)

True, but some things truly don't matter if they get out in the open. My own website linked in my sig is a perfect example of that...while I log activities on my site through statcounter.com and can view any visitor's IP and system specs, their information isn't "public" unless they leave a comment (and then the only information public is what they write.)

A lot of information out there doesn't need to be protected, and other than my own traffic logs, there is nothing on my site that would warrent the cost and time associated with using encryption. If I were running a bank or a store, then absolutely everything if you were logged in would be encrypted...but for people like me, encryption is a waste of resources.

Re:There's no reason to encrypt HTTP (1)

MathFox (686808) | more than 4 years ago | (#30809074)

But there is no reason why I should make it easy for my ISP, upstream providers and the NSA to eavesdrop on communication with a webserver. Encrypting my communication plugs a big privacy hole: so, why not use it?

Re:There's no reason to encrypt HTTP (1)

grub (11606) | more than 4 years ago | (#30808946)


There's no reason to encrypt HTTP requests that don't contain personal information.


No? Think about someone in China searching for Falun Gong information then having their door kicked in by the state police.

Re:There's no reason to encrypt HTTP (1)

OrangeCatholic (1495411) | more than 4 years ago | (#30809188)

Thank you. Perfect example. Especially since it would happen.

Nothing's "broken" (1)

prescor (204357) | more than 4 years ago | (#30808822)

Because the people who pay for everything don't "see" a problem. From the uneducated user's perspective, everything works "the same" whether or not it's encrypted. They don't see how anything is "broken" so why should they pay $$$ in the form of certs and staff time to upgrade (i.e., "fix") things?

(That's a possible explanation, not an excuse.)

Not needed (1)

DerPflanz (525793) | more than 4 years ago | (#30808826)

I think it is simply not needed. Why would you put effort in encrypting a public website, or your e-mails to your grandmother to feed your cat while you're away.

Risk = damage x probability. Probability (sniffing email/web traffic) is extremely low on most data, as is damage. I think logins should be encrypted, but not (public) data.

Nothing (1, Interesting)

Anonymous Coward | more than 4 years ago | (#30808828)

Most websites are using unencrypted http for sending non-secure public pages and most people don't use email for secure transmissions and consider it almost public.

The fact that everything is not encrypted does not indicate that anything is being held back.

Encryption has transmission and management costs. It is not "free" so it will never be ubiquitous.

maybe not apathy, nor ignorace (1)

AverageJoe8686 (1651997) | more than 4 years ago | (#30808834)

Maybe it's more of an issue of ready availability and accessibility. Plus (I think) some businesses may think that it's an unwarranted cost which should only be used for money transactions or whatever. But then again I'm talking outta my arse here with no previous knowledge.

Same old Same old (1)

killmenow (184444) | more than 4 years ago | (#30808840)

It's the same thing holding back lots of things: greed. Microsoft would standardized on e-mail encryption support in Exchange/Outlook if it were THEIR "standard" that either locked users in or locked other providers out. So would Apple and damn near every other company out there.

Lots of encryption is in place where companies stand to lose money (eg., DRM, banking, etc.) But where they stand to lose money DUE to encryption, it's not widespread...imagine that. If the security of your data isn't going to lose (or make) a company money, the people running that company don't care a whole lot about the security of your data.

I'll tell you what it is... (5, Interesting)

multipartmixed (163409) | more than 4 years ago | (#30808842)

...encrypted communications are too bloody hard to debug!

With unencrypted protocols, I can whip out the packet sniffer and find out *exactly* what's going on. With encrypted protocols, I have to write reports like "we have verified our software configuration and believe it to be correct; perhaps the problem is at your end?"

Maybe we need to come up with a standard way of encrypting things, that our packet sniffers somehow know how to decode. Maybe even with a "relax the crypto" configuration flag we can throw during debug.

Re:I'll tell you what it is... (1)

amorsen (7485) | more than 4 years ago | (#30809016)

Modern packet sniffers support IPSEC. Getting the keys out can be fun, but not all that difficult on e.g. Linux. Keeping up with the key changes adds a bit of fun too.

Re:I'll tell you what it is... (0)

Anonymous Coward | more than 4 years ago | (#30809190)

...encrypted communications are too bloody hard to debug!

With unencrypted protocols, I can whip out the packet sniffer and find out *exactly* what's going on. With encrypted protocols, I have to write reports like "we have verified our software configuration and believe it to be correct; perhaps the problem is at your end?"

Maybe we need to come up with a standard way of encrypting things, that our packet sniffers somehow know how to decode. Maybe even with a "relax the crypto" configuration flag we can throw during debug.

. . . wireshark

Apathy (1)

maino82 (851720) | more than 4 years ago | (#30808844)

I know at my company a lot of it is apathy. We have an unencrypted FTP site where clients can upload/download stuff at their leisure. It's not sensitive material, so no one really cares if something happens to it or if someone gets hold of what's up there. Probably not the best attitude, but if the higher ups don't concern themselves with it, I don't concern myself with it too much either. That being said, for internal stuff and for access to project files from offsite, I did set up an SSH account on a segregated virtual machine that we can gain access to via SFTP. I also gave out separate keys for each individual in our organization. If a key becomes compromised I can simply issue a new one to the key holder without having to inconvenience everyone else. Still probably not ideal (I'm not a security expert by any stretch of the imagination), but better than nothing.

Re:Apathy (1)

snspdaarf (1314399) | more than 4 years ago | (#30809182)

Agreed. Less than three percent of our customers want encrypted data exchange. They not only seem fine with standard FTP, they are hostile to SFTP. Some will ask for an IP address to add to their access control lists, but for most the attitude is, "Have a go, joe!"

Re:Apathy (1)

OrangeCatholic (1495411) | more than 4 years ago | (#30809316)

>Probably not the best attitude

It would be fine if your FTP server wasn't connected to every user in China and Russia. It's kind of like hanging your underwear to dry on a clothesline in the backyard thinking, "I only have one neighbor, what's the chance he's going to see my underwear?"

Meanwhile, there's 6 BILLION people living at your neighbor's house. I mean, it's not a sure thing that you'll get robbed, it just goes to show that your FTP server is in a ghetto.

That's what people don't get about the internet. It's the ultimate shitty party. Everyone's invited. There's no way to keep anyone out.

Oh wait, there is!

Key Management is hard (0)

Anonymous Coward | more than 4 years ago | (#30808846)

Both technically and administratively. I've lost count of the number of 'Public Key Certificate Expired' warnings I've had over the years. Also doing crypto slows down servers - the cpu hit on web servers by using https is significant so many only use https for the bits of transactions that really need it. I just wonder what hit Google took by encrypting by default all Gmail sessions.

Encryption isn't free (1)

raju1kabir (251972) | more than 4 years ago | (#30808856)

Most websites are still using unencrypted HTTP

Without dedicated hardware, https is an incredible performance drain on web servers. And even the dedicated hardware at the data centre won't help the client side. Not to mention the caching rules which mean much more data traffic.

For most web sites, I see no reason to use encryption.

Re:Encryption isn't free (1)

louzerr (97449) | more than 4 years ago | (#30809122)

While I agree most sites probably don't need encryption, I don't see why you'd need dedicated hardware, or why it would be an incredible performance drain. Even client-side, it shouldn't be too difficult of a task (unless you're decrypting War and Peace in a single download).

That encryption is a performance drain is a myth created by hardware vendors wanting to sell you more hardware.

Re:Encryption isn't free (1)

Nerdfest (867930) | more than 4 years ago | (#30809292)

To encrypt all traffic when running your web servers on an IBM mainframe costs _many_ millions of dollars a year. In cases like this, and when you're already near capacity on your hardware, encryption applicances are a great idea (they make debugging easier as well).

Re:Encryption isn't free (1)

raju1kabir (251972) | more than 4 years ago | (#30809294)

That encryption is a performance drain is a myth created by hardware vendors wanting to sell you more hardware.

Do you run any web servers? You should be able to see this for yourself.

On relatively decent hardware I push out about 60% as many pages per second with SSL. Much of this is due to the huge overhead on session setup. With separate front-ends for SSL I can keep this from tying up slots on my content generation servers.

Inertia (5, Insightful)

grub (11606) | more than 4 years ago | (#30808872)


What's Holding Back Encryption?

Simple: INERTIA.

Remember back in the day when the OpenBSD guys said Enough Already and pretty much dropped telnet, rsh, rcp, rlogin, etc. for the SSH suite of tools? Yeah, a bit of growing pains at the time but no one would want to go back. It took some time but finally other open source projects followed suit.

People are lazy, if there's no push to change most won't no matter what benefit the change offers.

Re:Inertia (5, Insightful)

Anonymous Coward | more than 4 years ago | (#30809192)

I can second that. A few years ago I was working as a database / web programmer for a company when my boss for small intranet applications group decided that all internal applications should run over SSL/TLS. Most of the business applications didn't convey any sensitive information, but some exposed personal information as customer name, address, bank routing number, social security number, phone numbers, etc. The internal network was all switched Ethernet, of course, but just about everyone was switching over to laptops with WiFi, which does carry a certain risk of packet sniffing. We switched over to HTTPS in the test system to find out that the image server run by another group didn't support it. This meant that our users would have either had to see a lot of warning messages about "insecure" elements on the page or either turn down IE's already lax security settings so much they wouldn't ever get any meaningful warnings. Since the group that served up images didn't care at all about encryption and wouldn't budge, the initiative was scrapped.

What should have been a nearly trivial process was shot down for lack of caring.

Lack of Open, Accessible Standards (1)

Kr1ll1n (579971) | more than 4 years ago | (#30808880)

Whole end-to-end environment encryption is currently a PITA to implement, use, and support. Fix these problems, and it will grow. And before anyone responds with, use X or Y product, think about this; the larger the environment, the less homogeneous it is. Think about product X and or Y in that scenario, and you will see the problem. Does Cisco use PGP or its open equiv? Nope. It uses its own stuff. So that means what is on X server is different than what is on X firewall and/or router. The absence of a strong open standard across platforms is what makes encryption the PITA it is for administrators.

first question: does it *need* encrypting (0)

Anonymous Coward | more than 4 years ago | (#30808882)

"Most websites are still using unencrypted HTTP"

that's cause most websites aren't serving up any content that needs encrypting. If you were only looking at banks etc, then maybe I'd worry.
Encrypting lolcats is just a waste of cpu cycles.

As for email, I only use my own mailserver or gmail these days, both of which are using ssl encrypted imap... If your emails contain sensitive information etc, you probably shouldn't be using hotmail etc :p

Invisible threat (1)

famebait (450028) | more than 4 years ago | (#30808892)

Suppliers give priority to what their customers nag about, and they nag about the problems they see and feel every day. Only those who get attacked and discover it see the threat of unencrypted traffic.

Potential problems (1)

Xamusk (702162) | more than 4 years ago | (#30808900)

Because if anything goes wrong, like forgetting the password or corruption on a single byte, can make your whole data unusable

it's all about perception (1)

cybernga (1201583) | more than 4 years ago | (#30808902)

since most people consider their daily transactions ( FTP , mail , what-have-you ) safe, there is no need to go for anything more even if the IT staff understands the risks, any attempt to actually implement something will cause a stone-throwing for "breaking something that was working just fine" even if the downtime is minimal.

The same reason router passwords are Admin. (1)

GiveBenADollar (1722738) | more than 4 years ago | (#30808908)

People are lazy. I know I am! If It doesn't need encryption, why encrypt it? Then again I have the root password on my linux box set to a single character, so maybe I'm too lazy.

There are a number of problems (1)

cdrguru (88047) | more than 4 years ago | (#30808910)

First big problem is you simply cannot send encrypted email to someone without a prior relationship. They aren't going to "get it" and they aren't going to be bothered to figure out why they can't read your email - just delete it.

The second problem is that if you want to be seen doing something "real", you need to spend some money on a "real" certificate. At a corporate level it might seem to make sense to have a corporate level certificate that then signs individual certificates. But this doesn't seem to be "real" enough.

Finally, most people understand that email is insecure and unreliable. They get a few Viagra ads every day and this reinforces the idea that it is insecure. They call people to make sure their email went through - because email is unreliable. Encryption would be another layer of trouble on top of all that insecurity and unreliability for no apparent benefit.

It's simple. (2, Insightful)

Low Ranked Craig (1327799) | more than 4 years ago | (#30808922)

It won't happen until the pain of not doing it exceeds the cost of implementing it.

Re:It's simple. (2, Insightful)

louzerr (97449) | more than 4 years ago | (#30809030)

Or, the cost of NOT doing exceeds the cost of doing it ...

What good is encryption? (0)

Anonymous Coward | more than 4 years ago | (#30808928)

If Chloe can break it at CTU in a couple of keystrokes? DAMN IT!!

Seriously? (1)

EXMSFT (935404) | more than 4 years ago | (#30808932)

Weeks after Google, a technology leader gets hacked by having ancient versions of IE 6 on their desktops, and you're asking why encryption isn't everywhere? Same reason IPv6 isn't everywhere, VOIP isn't everywhere, the current spam-friendly email protocols we've been living with for decades haven't been replaced with authenticated sender-based protocols, and why blacklist-based antivirus hasn't been replaced by a less "lossy" model of security. Why? Because doing nothing costs nothing. Doing something costs something - and if you can't explicitly explain why doing something more than the current "bare minimum" MUST be done, quantify the costs of doing vs. not doing it (and have the latter exceed the former) and/or end-of-life the current methodologies, then things just don't happen in the low-cost/low-budget world of IT.

VOIP isn't everywhere? Good! (3, Interesting)

Viol8 (599362) | more than 4 years ago | (#30809110)

Ever since our company fell for all the marketdroid hype from Cisco for VOIP and dumped our old but reliable PBX system we've had one problem after another. The new system has been as unreliable as its possible to be whether its large data loads being done over the network causing the voice quality to go through the floor or a network outage killing the system dead or SIP server bugs or just bugs in the IP phones themselves.

VOIP for the office is hype - all it does is save on some cabling and wall sockets which had already been installed and paid for anyway! Well whoop de fucking do. Talk about Emporers new clothes.

Re:Seriously? (1)

SanityInAnarchy (655584) | more than 4 years ago | (#30809238)

I was with you up till here:

the current spam-friendly email protocols we've been living with for decades haven't been replaced with authenticated sender-based protocols,

Are you telling me there's a spam-hostile email protocol possible? How does it do with The Form?

blacklist-based antivirus hasn't been replaced by a less "lossy" model of security.

Actually, the simple replacement for all antivirus is a savvy user. I don't think that's inertia, though, I think that's a weird social block we have -- we want to make this an IT problem instead of an end-user problem, because if it was an end-user problem, we'd have to educate all the end-users, and quite possibly lose a lot of otherwise-productive people who refuse to learn tech.

What's the problem? (2, Insightful)

spaceyhackerlady (462530) | more than 4 years ago | (#30808974)

What problem do we need to solve here? If it ain't broke...

Just for the hell of it I've toyed with hooking my geiger counter up to my computer, generating a couple of DVDs full of random numbers (really random) and using them for one-time pad encryption to send email to my Mom. Which cannot be cracked, by anybody.

There is also the issue that if you lock things down too tight you risk locking yourself out and can't get back in.

...laura

The costs overweight the benefits. (1)

kikito (971480) | more than 4 years ago | (#30808980)

The same happens with telephone conversations, or radio emissions. Except in some specific cases, it is just not worth the hassle.

Ease of use and implementation... (1)

foxtyke (766988) | more than 4 years ago | (#30808982)

That's where the hold up is in my opinion.

Secure e-mail via HTTPS/SSL is all but completely standard service throughout most providers, it's passive and in most cases proffered as the default information from a service provider.

Secure FTP via any means is a little touch and go, most hosting providers offer it in differing flavors but it is not well standardized in terms of FTP client support and each have their own name for the same methods.

Secure HTTP by default on sites, not really available for the market en masse due to cost of certificates and limitations of some of those cheap certificates which is why many do not offer it and with shared-services, your certificate is pretty worthless unless you opt for a dedicated IP in most plans/services.

PGP/GPG, now here's a real stick in the mud, this needs to be supported by all clients and implemented equally wherein there is nary a thought to clicking send (eg. what passphrase did I use for this one?)

DNSSEC, much like PGP/GPG, without wide adoption through large registrars and more information from those registrars on its uses, benefits and general reason for existence, it won't be used by many.

Performance overhead vs. value of the information (1)

Cimexus (1355033) | more than 4 years ago | (#30808986)

For me, it's mostly a tradeoff between the value of the information and the extra work/performance overheads involved in using encryption.

I usually don't bother encrypting my email because it's mostly mundane stuff, and frankly there's more of a threat from the owner of the email server reading my stuff than there is from a MITM attack. Also, getting and using a cert is a bit of extra work.

But if I do need to send sensitive information via email, I will use encryption. Generally by putting that sensitive information in an attachment, and encrypting the attachment using AxCrypt or something similar (128 bit AES which is pretty decent for anything I'd be communicating).

I upload and download files from a web server regularly, that permits standard FTP connections as well as SFTP and SCP. But I generally just use FTP because a) the stuff is usually mundane; and b) FTP maxes out my connection, whereas SCP/SFTP to the same server seems to bottleneck at 60 kB/s upstream for some reason - seems like quite a large performance overhead!

too much effort (1)

mrphoton (1349555) | more than 4 years ago | (#30808990)

I wish Thunderbird of evolution had some type of automated system for encryption, where you tagged your public key to the bottom of every e-mail. When an in coming e-mail was detected with a key at the bottom all replys were automatically encrypted. I think the problem with encryption at the moment is that people have to think about it so it does not happen.

Re:too much effort (1)

SanityInAnarchy (655584) | more than 4 years ago | (#30809274)

I wish Thunderbird of evolution had some type of automated system for encryption, where you tagged your public key to the bottom of every e-mail.

What? Thunderbird has had this for awhile, and so has KMail, and really any decent PGP-supporting mail client. It's not at the bottom anymore, though -- the preferred way is as an attachment.

When an in coming e-mail was detected with a key at the bottom all replys were automatically encrypted.

I suspect you can configure it this way, but it's fairly pointless -- it buys you very little unless you can verify that the key in question actually belongs to that user.

Encryption is demanding (1)

Alif (705217) | more than 4 years ago | (#30808996)

Encryption is pretty demanding on hardware. A normal webserver without a cryptographic accelerator can serve say 100x more webpages unencrypted then with a full HTTPS encryption.

One Word: (2, Insightful)

louzerr (97449) | more than 4 years ago | (#30809012)

Verisign. Because of the ridiculous cost of THEIR certificates, and that browsers don't seem to properly recognize any certs but ones from Verisign. People either use fake certs (encrypted traffic, but no verification of trust), or simply don't bother.

Also, because so many sites pull in images and other content from non-origin servers, webmasters do not know how to build a proper SSL site in most cases. It's tricky to do right (not impossible - just tricky), and most web designers / site administrators simply give up on SSL, rather than try to learn how to implement it properly.

Ethan Hunt (1)

holophrastic (221104) | more than 4 years ago | (#30809014)

Outside of our industry of computers and internets, security is handled wiht a simple motto -- secure what needs securing. With the knowledge that Ethan Hunt will always be able to break in, the question is not "what is insecure" but "what is being stolen". You don't need to secure something that no one wants.

Your home is easy to break into. Maybe you have a lock. Maybe you have a dead-bolt. Your locks can be carded, your dead-bolt can be picked.

You wouldn't want real security at your front door, because you'd be trapped outside more often than an actual burgler.

The same is true of computer security. If no one is breaking in, why would you want to slow everything down. My FTP traffic isn't that important. It's just code, and very few people think they want it.

Since when is no-encryption a problem? (1)

AbbeyRoad (198852) | more than 4 years ago | (#30809026)

Simply put, the bulk of security problems are not solved by encryption.

In fact encryption and authentication often create more problems than they solve. Corporations are asking for many passwords where they aren't needed, certificates create admin overhead, and encryption is more difficult to set up and get working in-time-to-market than if there were no encryption.

One doesn't invest in something "because it sounds like -- real cool, man". Rather, one must begin with a problem and think creatively to solve that problem. ...and encryption is just one of the available tools.

Also, you can't take the protocols SSL, DNSSEC, SFTP, IPSEC and pool them into one bucket and call it "encryption". Each are separate solutions to separate problems, and indeed will usually be only one component within the solution.

-paul

Isn't it obvious? Money (1)

Etylowy (1283284) | more than 4 years ago | (#30809072)

Certificates, bandwidth, cpu power - it all ain't free.
Encryption costs: the obvious - signed certificates aren't free, but also https has higher bandwidth cost than http, encrypting data is CPU intensive - it all sums up.

IMHO encryption will be always limited to the bare minimum - where money and/or sensitive data is involved - and that's fine: why the hell would I want to encrypt anything else?

Why? (4, Funny)

FlyByPC (841016) | more than 4 years ago | (#30809080)

For most of the Web surfing that I do, full https encryption simply isn't needed. Why do I need encryption (which adds another quite significant protocol layer) to surf Slashdot or CNN or xkcd?

OK, granted, I probably should use encryption or TOR for that last one or the 'raptors will catch on. But other than that... why?

It'd be nice to see... (0)

Anonymous Coward | more than 4 years ago | (#30809114)

...the crypto responsibility moved to the network where it belongs. It can and should be completely transparent to the end-user, and non-optional.

Want to send something via FTP/telnet/http? Fine, go ahead. We'll encrypt/decrypt it silently on your behalf anyway. No need to give it a second thought. Want to encrypt it yourself? Fine, go ahead. We'll encrypt/decrypt it all again, our way.

encryption is no panacea (0)

Anonymous Coward | more than 4 years ago | (#30809170)

because encryption breaks things and makes them run slower. Caching proxies fail with encryption. Error rates increase with every level of complexity, and fixing them gets less likely. Making computer work together is still hard, so making it artificially harder is retarded. I hate DNS-SEC, and I hate the push for encryption for no reason.

As another poster said, the bulk of security problems are not solved by encryption. Many problems are caused by poor attempts at encryption.

  - deadshift

Most Data Isn't Worth Encrypting (1)

InitZero (14837) | more than 4 years ago | (#30809178)

Most data traveling in the clear has little value. What value it has may be momentary. A week from now, it is worthless.

Heck, most encrypted data has little value. The fact of the matter is most data is worthless junk.

I was the backup administrator for a Fortune 500 company's branch office of 1,500 users. I have a pretty good idea of what data existed because I was responsible for keeping it safe. Of the terabytes upon terabytes of data sitting in the archive, I could have put the worth-encrypting sensitive company information on a USB thumb-drive. There was really that little of it floating around.

So, the reason most data isn't encrypted is that there really is no reason for its encryption.

Cheers,
Matt

Crying wolf in the past (1)

starglider29a (719559) | more than 4 years ago | (#30809270)

In 1994, I wrote a rant to my friends telling to "get encrypted or get pwned*". Paranoia of that day (new prez, newer congress, Blue laws, Waco, Ruby Ridge, OK city yet to happen) We went through a bit of wrangling to get PGP keys and such. We were not n00bs, but it still seemed more difficult than it should have been. We encrypted our emails, and even our chats... for a while. When we realized that nothing we were saying mattered to anyone interesting (pick a 3 letter acronym), we stopped bothering.

But now, it seems like delusional paranoia to think we need to encrypt our every day stuff. I still have that rant on file, and it seems pretty kooky in retrospect. Having to explain the wisdom of encryption to someone who can't open a .DOT file comes off as wacko.


*no, I didn't use that word.

Encrypting What? (0)

Anonymous Coward | more than 4 years ago | (#30809272)

The techniques discussed here address only the data in transit. While IO haven't seen anything other than anecdotes, my sense is that the successful attacks have been at the server/database/file level; i.e., static data.

There, I've seen the network guys and the application people pointing fingers at each other saying "encryption is HIS job, not mine.", when it's BOTH their jobs, IMO, since different techniques apply.

Certificates. (1)

Eskarel (565631) | more than 4 years ago | (#30809300)

The basic reality is that most information really isn't all that private, and that managing certificates is rather tedious and expensive.

People don't generally whisper when they're talking to their friends in public, or talk in code, or anything much else. They don't care too much who overhears. If something is supposed to be secret they take the appropriate steps.

The same is true for web traffic. Most of it just doesn't need to be all that secure. Sure bank details need to be private, and a few other things, but my google search doesn't really need to be. Google is already storing it, and why would anyone bother to spy on it, or care if they did?

The exception to this of course is e-mail which is more of a systematic failure than https or ftps. Most people would indeed like their e-mails to be private, but while webmail providers are starting to provide https interfaces, real, honest to goodness, e-mail encryption is just too damned hard. Key management becomes impossible past more than a couple of keys and the whole process is just incredibly tedious. The person who comes up with a way to get e-mail encryption in a way that isn't too much hassle and doesn't involve storing all your keys with some "trusted" third party will have a license to print money.

HTTP(S)? Marketing/profitability & IPv4 (4, Interesting)

GiMP (10923) | more than 4 years ago | (#30809306)

First, keep in mind that name-based virtual hosting with HTTPS is very limited. With few exceptions, you're quite restricted in your ability to host multiple SSL-encrypted sites on a single IP address. Most often, one must instead assign each SSL-encrypted virtualhost to a dedicated IP address. If every website was, today, to switch to HTTPS-only operation, and if the RIRs were to allow it, we would immediately run out of IPv4 addresses. You can argue that we should instead be using IPv6, and I might agree, but we're simply not there yet.

Secondly, performance is a major consideration for many companies. This is especially true for internet marketing & advertising efforts, for whom every millisecond matters in their ability to serve their content. Advertisers are unlikely to prefer SSL over unencrypted content. Worse, marketers are those most likely to desire poor security practices in order to gather information and track users, while also being those that provide means of financial sustainability for many sites. That is, if the marketing companies won't go for it, the companies being paid by the marketing companies won't go for it.

Thirdly, cookies and other domain-specific security measures may not be functional via HTTPS, depending on the browser's security configuration. Some browsers provide warnings or block unencrypted content sourced by encrypted pages, or originating from another domain. These security profile of the browser may be much different for SSL-protected sites than for unencrypted pages. Ultimately, this would prevent, discourage, and limit advertising efforts which (again) drive the sustainability of many sites.

Business email (2, Insightful)

freedumb2000 (966222) | more than 4 years ago | (#30809308)

In the case of email I am not using encryption because none of my business contacts are. It is kind of like with MS Word. I would love to use something different and I never mail out doc files, only PDF, but if everyone else is doing it's hard to stand your ground.

Talking out loud ... (2, Insightful)

daveywest (937112) | more than 4 years ago | (#30809320)

How often do you speak out loud in a public place?

None of that is encrypted. Someone might overhear you. Break out the tin foil hats!!!!

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?