tag:blogger.com,1999:blog-2511631377600597263.post1132667266844690727..comments2023-10-29T14:05:00.630-05:00Comments on Nick Coblentz: Rugged Software – Telling Your Security StoryNick Coblentzhttp://www.blogger.com/profile/02039723015167872217noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-2511631377600597263.post-46395459792806202592012-03-25T22:26:43.475-05:002012-03-25T22:26:43.475-05:00Hi Rory,
I agree. Many of the security pages say...Hi Rory,<br /><br />I agree. Many of the security pages say rather silly things to the effect of "We use 128-bit encryption, so everything is fine". In the near future, I hope that companies in similar sectors would all produce these security narratives and then a consumer, buyer, or outsourcer could compare them all together. The vendor with more meaningful details would then attract more potential customers. Those customers would also need to consider price, maintainability, reputation, and a whole host of other issues. But, at least security would be considered during the buying decision. It could even become a differentiator for a vendor!Nick Coblentzhttps://www.blogger.com/profile/02039723015167872217noreply@blogger.comtag:blogger.com,1999:blog-2511631377600597263.post-85610485622596881032012-03-25T14:38:57.785-05:002012-03-25T14:38:57.785-05:00Interesting post. I think that one of the problem...Interesting post. I think that one of the problems with public narratives regarding security is providing accurate information that's actually meaningful to the users of the service.<br /><br />The crashplan links you provided are actually a good example of this. One of the key differentiators that they mention for the crashplan+ service on those pages is the use of 448-bit keys instead of 128-bit.<br /><br />From a cryptographic perspective that difference is meaningless, 128-bit keys are (assuming the implementation is fine) not feasibly breakable with current technology, so there's no security advantage to using 448-bit keys (AFAIK anyway).<br /><br />One supposition that could be made there is that there was a marketing drive for a "bigger number" for the + plan, but it illustrates the tension between marketing a service and provide accurate information about things like security...Anonymousnoreply@blogger.com