Jiri’s Notepad

Everyone seems to be quoting Ray Ozzie’s article talking the end-end security principle. Mark O’Neill notes that end-end security concept is not panacea. He quotes one of his colleagues:

“Let’s not confuse securely designed with securely implemented…the vast bulk of the security issues have been implementation problems. Adding in a whole, complex layer of authentication, encryption and validation would, frankly, have just given software developers more chances to screw up.”

I would like to add another perspective to this. I am for application level end-end security as anybody else, unfortunately, in practice it proves to be often too expensive. It needn’t be so when there’s only one application to be secured and no-to-little crypto is reqired. But as soon cryptography is used on the data level, it gets interesting - one gets whole loads of issues with key management and with other practical issues (eg backups, export of data, key expiration, workflows, etc). If you are developing a new application from scratch, and you have developers with enough crypto skills, chances are you can pull it off.

What’s bad is that you won’t get much support from off the shelf software. Ozzie’s Groove and Notes are probably exception to this, but neither of them is also not the most widespread development platform. So to get crypto working in your COTS environment, you need to consider buying some additional software or add considerable amount of development. Just for illustration, in a case where I investigated these issues, only adding digital signing to the application translated into 25% of extra costs. These costs can be justifiable for a mass market software package. But in bespoke deployments (vertical apps) it is quite a lot of money for a feature that actually doesn’t do anything useful (only makes user’s life more difficult). This conclusion may sound brutal but that’s the approach general public have towards security.

We haven’t finished yet. The problem gets even worse.

Single application is more exception rather than rule and more often than not you need to integrate several applications together. If these applications were not developed with single end-end security concept in mind (and you don’t venture much saying that they were not) the end-end security will end at the interface of the first application to which users are talking to. And so even if you try to push your e-e dream, you will get security only a bit better than the one you get using traditional approach and more expensive.