| Way back in the early days when the web was still a sparkle in TBL's eye, there were a merry band of people who called themselves Cypherpunks. Lots of good thinking and code was done on the basis that in the near future we'd all routinely encrypt everything and then send it through a maze of dead drop anonymizer servers so that our tracks could never be followed. And even if they were our communications were protected with military grade encryption. You can almost pinpoint the moment when the Scientologists brought down anon.penet.fi as the time when this stopped being relevant. We got over all that paranoia because nobody could be bothered, and sniffing packets from physical ethernet was just too damn hard. So we arrived at a fairly happy medium where for most people SSL websites were enough to protect their credit cards. And only people like the NSA, Chinese government and BigCo fascist firewall administrators were all that interested in what you did. But WiFi has blown this wide open again because suddenly sniffing packets is easy. The industry's response is to try and secure levels 1 and 2 with encryption to make the wireless packets as secure as a piece of cat5 or coax. IMHO this is doomed. WEP (wired equivalent privacy! Hah!) was broken quickly and I don't expect WPA to last long once people seriously start attacking it. The problem is that it's trivially easy to collect very large quantities of encrypted data. Which makes the code cracking an exercise in computing power and clever algorithms. And don't forget that some of the parties involved in WPA may have a vested interest in making sure it's not *too* good. So without realizing we were doing it, we've now arrived back at the Cypherpunk Manifesto, where we're recommending end-to-end encryption. Initially we're talking about Wireless node to Trusted server and then plain from there on. This is the model of Email reader to Email server via SSL. Maybe this is the new settling point for "good enough" encryption. But isn't it just a short step from here to Email Reader to Email Reader with S/MIME or PGP? And private SSL web Proxy servers? What price Total Information Awareness when all Information is routinely encrypted and anonymized? At which point I go off into a rant about the Verisign Pigopoly over Signed Certificates and the whole identity authentication thing of Passport vs Liberty vs PingID vs xxx. And probably another rant about perfect privacy vs perfect transparency. [from: JB Wifi] |
[ << More from Google Labs ] [ Software Patents in Action >> ]
[ 11-Dec-02 6:46pm ]
