Lets face it, the whole WiFi connection thing is junk and it is a part of
the network that is not in a place where the IETF usually acts - the UI.
Well, that is fine because the IETF is part of ISOC and do you know what
else just became a part of ISOC? The Online Trust Alliance. And they are
all about security, trust and UI.
I think that we maybe should have a talk about this with some ISOC folk
because it is definitely an area where maybe we need a bit of 'joined up
standards making'. There are parts of this problem that lie in CABForum
space, OTA space and IETF space.
I presume that there will be ISOC people there. We should talk about what
parts of the problem should lie where. I am not happy with the fact that
the WiFi alliance has still not provided a secure user experience after all
this time and obviously sees no need for one.
This issue is becoming a very serious political issue and has been the
reason that I have been making trips to D.C. recently to speak to members
of Congress and their staff. With Congress gridlocked, the range of
legislation they can get through is small, the only thing that people can
agree on is the need for better cyber security. Do people want to have that
conversation under the ISOC umbrella or do I have to use congressional
staffers to jackhammer the obvious into people's management chains?
Yes, the WiFi thing is a problem. And yes we need to fix it. Maybe get
round a whiteboard with some beers. Think outside the box and this problem
solves itself: have a mechanism for the access points to say 'ietf-legacy
is also me' and the client can upgrade. But that is just one detail and we
won't solve the user's problem if all we do is solve each problem as it
presents itself, taking three years each. Lets just design something that
does not stink and to do that we have to admit some of the reasons that
Security Usability remains miserable.
The big problem that I see with the Security Usability folk is that many
think it fine to say, 'users can't understand security indicators' so we
don't do them. This is wrong for several reasons.
1) We spend an inordinate amount of time telling users they they should
take care online but not how to make themselves safe. A product that
refuses to even let the user see the information that would allow an expert
to make that determination is a bad product.
So that is the first thing to realize. If the research tells you that your
product stinks. Don't you dare use that research to say that the problem is
impossible. Because your bosses-bosses-boss might just end up in a hearing
next to me and he might just end up agreeing with me.
2) If we can't give useful advice now, we have to work out how to change
the protocol so that we can in future. Users cannot understand a
Certificate Transparency log or a PKIX cert chain. But they might just be
able to intuit that the older a certificate is, the more likely it is that
they might understand it. Hence my proposal for a 'First Issued' aka
'Member Since' extension for certs.
3) The alternative is allowing certain large Internet services to turn
parts of the net into gated communities. Having obstructed (or demolished)
all the infrastructures that could provide some security for users against
the attacks THEY care about (identity theft, not mass surveillance) they
will stick to the big names they know and trust to prevent them going into
the 'bad' parts of the net.
This is of course the old walled gardens issue but in a different form. Oh
and my is the US Republican Party onto that one. If you look at the
legislation some members that claim to be anti-regulation have proposed
recently, it is a real eye opener.
The people I am meeting with know what I am and what my roles are. The
reason they are giving me time of day is because they know that a gated
community run by two companies very strongly aligned with their opposition
is not in their interest. It is not in our interest either to have security
systems to be a part of applications and platforms that are welded in so
the user has no choice over them.
Microsoft recognizes this, that is why there is an API for anti-virus to
plug into and you can choose to use the Microsoft one or a different one.