Ignoring Security makes it Better
The past few months have been busy, although there hasn’t been a lot of things that it made sense to blog about. I’ve been working on something Kerberos related which I will discuss shortly and a couple of requirement analysis/design projects. It is enjoyable to get back into designing new products; it has been a while since I’ve gotten to focus on that.
The other day, I was trying to send some financial information to my accountant. I didn’t want to send it unencrypted, so I gave him an HTTPS URI to a website I set up with the information. He ran into trouble downloading the file: it took a long time and was corrupted on receipt. As best I can tell, there is something wrong with his networking or firewall.
He suggested that I upload the information to a “secure” FTP site. I looked at the FTP server; as best I can tell, it doesn’t support TLS, SSL or any other form of encryption. I think it may be secure in that it is identified by an IP address rather than a hostname and that it is used for sensitive information.
By this point, we were getting fairly frustrated. His IT staff had spent significant time on the issue at a very busy time of year for accounting firms. I’m a small client. I was investigating the email path between us, wondering if I should just give up on privacy and send the information unencrypted. I noticed that the mail server supported starttls, a mechanism for transporting mail encrypted between two systems. I checked; the email I had been sending to him was actually encrypted. Obviously, there are differences in the security guarantees you get by sending something encrypted between your computer and the next hop with a hop-by-hop protocol like SMTP and those you get with an end-to-end encrypted TLS connection for a website. Of course you also don’t know how information is handled once it is received or how reasonable it is to trust the receiving system. Still, hop-by-hop encrypted email was good enough for my purposes.
I like this story because it’s one of those cases where security and usability align. By not thinking about security at all, I would have achieved protections that were adequate to my task. It’s great to be reminded that with today’s software that does happen. However it also illustrates the disconnect between actual security and the perception of security. Had I taken the extra steps of using the FTP site, most people would have viewed that as steps designed to better protect my sensitive information. However, as far as I can tell, it would have had the opposite effect. And, of course, we’re reminded that even when we expect a solution to be useable (like my https website), it may turn out not to be.As security engineers it is very easy to make assumptions about the usability of our work and hard to get it right without testing.