Snake oil (cryptography): Difference between revisions
Jump to navigation
Jump to search
imported>Sandy Harris No edit summary |
imported>Sandy Harris No edit summary |
||
| Line 1: | Line 1: | ||
In [[Cryptography]], the term "snake oil" is often used to refer to various products which do not offer anything like the security their marketing claims. This is, regrettably, remarkably common. The reasons are rather varied: | In [[Cryptography]], the term "snake oil" is often used to refer to various products which do not offer anything like the security their marketing claims. | ||
This is, regrettably, remarkably common. The reasons are rather varied: | |||
* As in any field, marketers exaggerate. | * As in any field, marketers exaggerate. | ||
* Then there is the incurable optimism of programmers. As for databases and real-time programming, cryptography looks deceptively simple. Almost any competent programmer can handle the basics, implement something that copes with simple | * Then there is the incurable optimism of programmers. As for databases and real-time programming, cryptography looks deceptively simple. Almost any competent programmer can handle the basics, implement something that copes with the simple cases, fairly easily. However, as in the other areas, almost anyone who tackles difficult cases without both some study of relevant theory and considerable practical experience is ''almost certain to get it horribly wrong''. This is demonstrated far too often. | ||
** For example, almost every company that uses their general-purpose programmers to implement crypto ends up with something easily broken; [[Microsoft Word]] and [[Adobe]] [[PDF]] encryption are the best-known examples, but there are dozens of others. | ** For example, almost every company that uses their general-purpose programmers to implement crypto ends up with something easily broken; [[Microsoft Word]] and [[Adobe]] [[PDF]] encryption are the best-known examples, but there are dozens of others. | ||
* Cryptography in particular and security in general are tricky because you get no direct feedback. If your word processor fails, you see the results. If your cryptosystem fails, you may not know. | |||
** In a famous example, the British [[Ultra]] project at [[Bletchley Park]] read many German codes during World War II, and the Germans never realised it. | |||
==External links== | ==External links== | ||
* Matt Curtin's Snake Oil FAQ [http://www.interhack.net/people/cmcurtin/snake-oil-faq.html] is the commonest reference. | * Matt Curtin's Snake Oil FAQ [http://www.interhack.net/people/cmcurtin/snake-oil-faq.html] is the commonest reference. | ||
Revision as of 22:39, 1 August 2008
In Cryptography, the term "snake oil" is often used to refer to various products which do not offer anything like the security their marketing claims.
This is, regrettably, remarkably common. The reasons are rather varied:
- As in any field, marketers exaggerate.
- Then there is the incurable optimism of programmers. As for databases and real-time programming, cryptography looks deceptively simple. Almost any competent programmer can handle the basics, implement something that copes with the simple cases, fairly easily. However, as in the other areas, almost anyone who tackles difficult cases without both some study of relevant theory and considerable practical experience is almost certain to get it horribly wrong. This is demonstrated far too often.
- For example, almost every company that uses their general-purpose programmers to implement crypto ends up with something easily broken; Microsoft Word and Adobe PDF encryption are the best-known examples, but there are dozens of others.
- Cryptography in particular and security in general are tricky because you get no direct feedback. If your word processor fails, you see the results. If your cryptosystem fails, you may not know.
- In a famous example, the British Ultra project at Bletchley Park read many German codes during World War II, and the Germans never realised it.
External links
- Matt Curtin's Snake Oil FAQ [1] is the commonest reference.