Snake oil (cryptography): Difference between revisions

From Citizendium
Jump to navigation Jump to search
imported>Sandy Harris
No edit summary
imported>Sandy Harris
No edit summary
Line 1: Line 1:
In [[Cryptography]], the term "snake oil" is often used to refer to various products which do not offer anything like the security their marketing claims. This is, regrettably, remarkably common. The reasons are rather varied:
In [[Cryptography]], the term "snake oil" is often used to refer to various products which do not offer anything like the security their marketing claims. This is, regrettably, remarkably common. The reasons are rather varied:
* One is the incurable optimism of programmers. As for databases and real-time programming, cryptography looks deceptively simple. Almost any competent programmer can handle the basics, implement something that copes with simple applications fairly easily. However, as in the other areas, almost anyone who tackles difficult cases without both some study of relevant theory and considerable practical experience is ''almost certain to get it horribly wrong''.
* As in any field, marketers exaggerate.
* Then there is the incurable optimism of programmers. As for databases and real-time programming, cryptography looks deceptively simple. Almost any competent programmer can handle the basics, implement something that copes with simple applications fairly easily. However, as in the other areas, almost anyone who tackles difficult cases without both some study of relevant theory and considerable practical experience is ''almost certain to get it horribly wrong''.
** For example, almost every company that uses their general-purpose programmers to implement crypto ends up with something easily broken; [[Microsoft Word]] and [[Adobe]] [[PDF]] encryption are the best-known examples, but there are dozens of others.
    
    


==External links==
==External links==
* Matt Curtin's Snake Oil FAQ [http://www.interhack.net/people/cmcurtin/snake-oil-faq.html] is the commonest reference.
* Matt Curtin's Snake Oil FAQ [http://www.interhack.net/people/cmcurtin/snake-oil-faq.html] is the commonest reference.

Revision as of 22:23, 1 August 2008

In Cryptography, the term "snake oil" is often used to refer to various products which do not offer anything like the security their marketing claims. This is, regrettably, remarkably common. The reasons are rather varied:

  • As in any field, marketers exaggerate.
  • Then there is the incurable optimism of programmers. As for databases and real-time programming, cryptography looks deceptively simple. Almost any competent programmer can handle the basics, implement something that copes with simple applications fairly easily. However, as in the other areas, almost anyone who tackles difficult cases without both some study of relevant theory and considerable practical experience is almost certain to get it horribly wrong.
    • For example, almost every company that uses their general-purpose programmers to implement crypto ends up with something easily broken; Microsoft Word and Adobe PDF encryption are the best-known examples, but there are dozens of others.


External links

  • Matt Curtin's Snake Oil FAQ [1] is the commonest reference.
Retrieved from "https://citizendium.org/wiki/index.php?title=Snake_oil_(cryptography)&oldid=514842"