Nadia Heninger Is Watching You

It’s been a bad week for online security. An “extremely critical” Ruby on Rails security hole; a Yahoo! Mail XSS exploit; and yet another Java 0-day vulnerability. I know, I know, security is hard: still, it’s difficult not to be left with a frustrated throw-up-your-hands “can’t anybody do anything right?” feeling.

So I paid close remote attention to the Real World Crypto workshop at Stanford this week. (OK, fine, I followed it on Twitter.) And I was struck, in particular, by this proposal from Ron Rivest–yes, that Ron Rivest —

awesome. Ron Rivest suggests patents on crypto algs that are royalty free until algs become weak, to encourage upgrades. #realworldcrypto

— Ben Adida (@benadida) January 11, 2013

Rivest: it might've helped if there had been a patent on MD5—royalty free as long as no collisions had ever been detected. #realworldcrypto

— zooko🛡🦓🦓🦓 ⓩ (@zooko) January 11, 2013

Finally, something that the egregiously broken software-patent system would actually be good for! Here, you can have your security technology for free…as long as you’re using it in a responsible manner. But if you misuse it, or fail to patch, or fail to upgrade once vulnerabilities become apparent, then you have to start to pay.

I think that’s kind of brilliant. Enterprises take security seriously to exactly the extent that they have an economic incentive to do so. And let’s face it, that’s not particularly strong evolutionary pressure. Lose a few million credit card numbers, and what happens? You get a few days of press attention, and maybe a creeping class-action suit; otherwise, pretty soon, most everyone forgets. But if you have to pay for not having your security act together, then you’ll soon start paying attention to it, too.

Oh, don’t get me wrong: I’m not demanding that every app and every site become a heavily-encrypted Fort Knox. But there’s no excuse any more for flagrant idiocies like storing passwords in plaintext, or failing to transmit personal information via HTTPS rather than HTTP. (Which Yahoo just started doing this year. IE in 2013. Sigh. But thanks, Marissa!)

Obviously pay-for-negligence patents wouldn’t address all of these problems. But maybe they’d change the all-too-common attitude wherein basic security and privacy measures are an afterthought.

Meanwhile, Princeton/Microsoft researcher Nadia Heninger presented a paper wherein

We perform the largest ever network survey of TLS and SSH servers and present evidence that vulnerable keys are surprisingly widespread.

(This is bad.) And —

https://twitter.com/radian/status/289437422121541632

promptly became the Chuck Norris of the crypto world–

https://twitter.com/kaepora/status/289486378507571200
https://twitter.com/kaepora/status/289488435855630336

When Nadia Heninger is near a computer, its memory freezes in fear and the RSA keys fall out #nadiaheningerfacts #realworldcrypto

— @letoams@defcon.social for now (@letoams) January 11, 2013

I know, I know, very funny. But all this highlights a larger point: There are security holes everywhere online, some of them quite gargantuan. Don’t even get me started on the colossal debacle of certifying authorities, or the problems with Skype.

It would be nice to think that enterprises will fix these problems out of the goodness of their corporate hearts, or their desire to do the right thing, or their fear of potential litigation. But the only incentive that’s all but guaranteed to work is a financial one; and Rivest’s elegant proposal just might create just that. Here’s hoping it catches on.