Why low quality encryption is not better than no encryption
Today, I was considering reconfiguring a program to stop supporting relatively less secure SSL connections and found myself thinking the old refrain of 'well, maybe there's some client that only works with the old stuff, isn't it better for them to have some encryption rather than no encryption?'
This is a superficially attractive thought, and it's certainly an easy refrain to fall into. It's also wrong.
From the semi-mathematical security perspective, it sounds good; having weak encryption defeats some attackers and makes some attacks just that little bit more difficult. But that's the wrong perspective, because security is not math, security is people and people are really bad at understanding degrees of security. When you say 'low quality encryption', they miss the 'low quality' and just see the 'encryption'.
(Well, sort of. It is not so much that they miss the low quality, it is that almost everyone lacks the knowledge to understand how low the low quality is and how vulnerable they are as a result. 'Encryption' is something that people understand, while 'low quality' is a meaningless buzzword.)
The end result is that in practice, your low quality encryption winds up creating an unwarranted feeling of security in both people and programs (because programs are written by people). In short, they put more trust in it than they should (ie any trust whatsoever). For the purposes of actual practical security, they would be better off with no encryption at all because then they would understand that they weren't protected (or at least have a realistic chance to).
The much shorter version of this is: if the connection is not really secure, you should not pretend that it is. Pretending just hurts people in the end.
Hopefully I will remember this logic the next time I go through this exercise and proceed to the bit where I actually turn off 'known to be insecure' stuff. (I didn't get to the actual configuration bit today; I just convinced myself that I should.)
Comments on this page:Written on 29 November 2010.