Posts Tagged ‘pki’

One mode, and it is secure

Tuesday, June 24th, 2008

Ian Grigg correctly argues that any internet protocol that has an insecure mode can never be made secure, thus if security is introduced as after thought, will never be secure.

Https is exactly such a bolted on afterthought, and to use it one must pay money, and suffer substantial inconvenience. Further, it is a woefully inefficient protocol, so people always try to minimize their use of it to only what is truly necessary, which they are unlikely to ever do correctly. Further, those to whom one must pay money are themselves a point of failure, not a source of security.

Iang attempts, and fails, to make his website conform to the one mode principle. For a blog to implement “the one mode and it is secure” paradigm it must be accessed by https, and accessing it by http should generate an 301 redirect to the https site. The trouble is, that when one reaches the https site, the site has to have a certificate whose root is accepted by the big browsers, typically a Verisign certificate. Such certificates are a pain to get, and a pain to install. And so, no one ever does. Iang has not got a big name certificate in the appropriate name for his web site, so accessing his site correctly generates no end of alarming error dialogs.