Thorsten Glaser <t...@mirbsd.de> writes: > Only if it provides secrecy.
> If one of the communication partners (say, the client, because it’s on a > mobile) uses a guessable secret (say, due to lack of entropy), the > session is lost. I think that statement is somewhat too absolute. There are levels of protection that you can get, and guessable secrets still require someone do the work of guessing. Even if you're using a straight pseudorandom number generator, the attacker still has to do some non-trivial work. If you, specifically, are a target of a government agency, that probably isn't going to help. However, if you're just interested in avoiding getting sucked into the casual dragnet, it helps quite a bit, since it puts the complexity of an attack over the value of your data. Schneier made this point recently and it's worth repeating: security isn't about making your data perfectly secure. Security is about increasing the cost of getting at your data to more than your data is worth to the attacker. While strong security is obviously better since it's easier to satisfy that requirement, weaker security is not worthless. That said, your suggestions for making the security stronger are certainly welcome, and that's always what we should strive for. I just wanted to make a minor point here about not letting the best be the enemy of the good. While we're working on something better, it's still worthwhile to deploy the tools we have. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87ioxzmnws....@windlord.stanford.edu
