mailing list archives
Re: General security question
From: "Marcus J. Ranum" <mjr () nfr com>
Date: Sun, 12 Nov 2000 12:58:28 -0500
Carson Gaspar wrote:
By the way, as a general rule, a VPN is useless if you don't know
anything about the security at the other end. Indeed, the whole notion
of doing a secure transaction/data transfer to a site where you don't
know anything about the security is kind of dubious.
A _minor_ disagreement. A VPN provides privacy up to the partner's demarc.
At that point liability for any breach of privacy is the partner's (either
on their net, or because they exposed the keying material).
That makes sense if you're interested in butt-covering. If you're
actually interested in security, then you've got to take into account
the state of the partner's network.
Butt-covering's a tactic we have to resort to all too often, at the
expense of really doing the right thing, because it's much harder
to do the right thing than to almost do the right thing. :) Actually,
you can almost break it down into a game-theory style prisoner's
dilemma: if you want to do the right thing but any of the other
entities involved is just interested in butt-covering, it's provably
impossible to do the right thing thereafter.
Marcus J. Ranum Chief Technology Officer, NFR Security, Inc.
firewall-wizards mailing list
firewall-wizards () nfr com