Saturday, April 19, 2003

Do-It-Yourself (Not)

So I've been doing a bunch of security work lately. Because of a slightly strange mix of requirements, I wound up spending about a week working on an authentication and key exchange protocol that was halfway between Kerberos and SSL. We've since ditched that effort, which made me happy: inventing our own security made me really nervous. As I was perusing the absolutely excellent Secrets & Lies (by Bruce Schneier) yesterday, I found a quote that was all too appropriate. In it, Schneier is addressing the prevalent but INCREDIBLY STUPID myth that products that don't tell you the details of their security implementation are somehow more secure. (Microsoft has historically been a bad offender in this category, but there are plenty of other examples.)

He says:

The problem can be best illustrated with a story. Suppose your doctor said, "I realize we have antibiotics that are good at treating your kind of infection without harmful side effects, and that decades of research support this treatment. But I'm going to give you a pulverized pretzel instead, because, um, it might work." You'd get a new doctor.

In other words, use what's there.  

No comments:

Post a Comment