Why don't people use secure internet tools?


#1

Originally published at: http://boingboing.net/2017/05/31/why-dont-people-use-secure-i.html


#2

Or because most people really just don’t care. We aren’t sharing passwords and if a dick pic gets out, the world isn’t ending. We also know that if the gov’t truly wanted something and if we lived in an oppressive enough country, they’d get the information one way or the other – and I can guarantee that the way they get this information won’t be as nice as simply hacking us.

Simply put, it honestly doesn’t matter to MOST people.

Me? I care. And I still realized that no matter what I do, hackers might still be one step ahead.


#3

Friction, friction, friction.


#4

Seriously mostly just make them NOT A PAIN IN THE ASS TO SET UP AND USE.


#5

Preach it!


#6

voice calls on Signal suck

Sure, this is your opinion @doctorow, but I recommend you to verify this claim with a recent version of Signal. There were large changes concerning call quality alongside the introduction of video calls. (blog post with technical details)

Though that you are of the impression that Signal calls suck (which might have been true in 2016) shows the problem with having a feature implemented, but not in perfect shape. This can get some services discredited sustainably and users are less likely to try the service again. So from a developer’s perspective it’s a very tough question how to launch features: after some time in a good shape (but your rivals never rest!) or earlier with some flaws?


#7
  • “Experts” (or just actual practitioners) rarely agree on rankings of these same tools.
  • could this point be phrased more arrogantly?

As to the headline question if anything the fault lies primarily with us the security practitioners. We make complicated ugly tools that require too much arcane knowledge to use.


#8

participants did not appreciate the difference between point-to-point and E2E encryption

Well I have some experience with network security and I don’t know what the hell the difference between these two things is either. I mean I get E2E, but what the heck is the difference between E2E and P2P? Does P2P indicate not getting to the end and only encrypting for a portion of the route? That would make some sense and have security implications but… Nope.

Google being my friend, apparently P2PE is a standard from the PCI Security Standards Council. Awesome!, what the heck is the PCI Security Standards Council? Is that the a standards body that camp up with the PCI bus? Of course not, this is apparently a group created and run by a group of financial credit companies (think VISA International) to create security standards for credit transfers.

I am definitely biased by my own ignorance, but expecting average users to have a clue about this seems a bit ridiculous to me.


#9

How do I know for sure that something is secure, and not a Trojan Horse/Virus/Keylogger?


#10

Network A is behind a firewall but needs to pass data across an untrusted network to Nework B. This is where P2P is handy. Sysadmin A sets up a VPN with Sysadmin B and that way some/all traffic between Network A & B gets encrypted. This could just be email or database updates or some random file transfer. A & B could be the same company in different locations or different companies that do some business together.

E2E is all/some traffic between endpoint/computer A and endpoint/computer B gets encrypted.

Of course this still doesnt account for HTTPS/TLS, PGP or lots of other possible encryption scenarios…

Isnt this stuff fun?

In the Imaginistan of Security Pundits, you are supposed to be able to decompile all binaries on your own to evaluate for yourself!

(thats a big ol /s for anyone who didnt figure it out…)


#11

You’re description is pretty much what I would come up with. Point to point indicates that at least one of the encryption end points is not at the actual end of the transmission. However, if you do a search for point to point encryption in google, that isn’t what comes up anywhere in the first page. P2PE is (also?) a specified standard created by the PCI Security Standards Council for handling purchases.

Now I would say that is pretty lame name for their standard, but that also indicates how bad that question is for a test question. Because even after our discussion and looking at the studies PDF, I still don’t know what definition they were using when they asked the participants about the difference between E2E and P2P.


#12

Indeed:

However the definition given there still matches my description above.

But whats in a way more confusing is if you try and search without PCI you get this:

Which again is technically correct but not the answer you were looking for.

Most indeededly so. And this comes back to my point about us “experts” expect too much arcane knowledge from non-experts.

Also if you think trying to learn these sorts of basics is annoying, just wait until you get into encryption key management! (a term which has multiple understandings to confuse the subject even further…)


#13

This topic was automatically closed after 5 days. New replies are no longer allowed.