Security technology has a habit of replacing the problem that it solves with an entirely new one. Encryption, for example, hides your data from others, but that also includes the user if he forgets the key. So we put in a PKI to manage all the keys, and that introduces a raft of other new problems. And so it goes on.
The latest idea for solving man-in-the-middle attacks is an ingenious solution from Carnegie Mellon University, called Perspectives. This looks very interesting, as it's claimed to be simple and cheap. Essentially it uses a network of "notaries" that check the web sites you visit to ensure that authentications returned to them are consistent with ones sent to you.
This of course raises a privacy issue. The notaries, which might be universities, will have a lot of information on IP addresses and web activity. I hope they have an answer that's more than simply asking the notaries nicely to avoid recording client IP addresses.
Comments (1)
It seems that the answer to the concern expressed is: "it depends"
The CMU web site states: "Notary Server Privacy Policy: All notary servers adhere to a strict policy of never recording client IP addresses, period. The Perspectives project and its software will only contact Notary servers that follow this privacy policy. Your privacy is important to us."
I suppose that this statement of policy intent needs to be backed up with a set of requirements on the function of the putative "notary server" machines. Auditing compliance with same would then be "interesting"
Posted by Dave Aitken | September 2, 2008 12:10 PM
Posted on September 2, 2008 12:10