[Info-vax] VSI has released 9.2-1

[Arne Vajhøj]

On 6/19/2023 9:43 PM, Dave Froble wrote:
> People who count for encryption to provide protection don't really care 
> all that much.  Do enough to check the appropriate box, then not their 
> problem.
> 
> People who really care about security of course may use SSL, but then 
> what happens when the encryption is broken?  The user's data is 
> available to the hackers.  But what if the app developers insured that 
> the data, if encryption is defeated, doesn't really mean anything to the 
> hackers.  Some custom stuff in addition to SSL and such.  Yeah, even 
> then, some hacker might figure out the data.  But isn't it better to 
> make it as tough for the hacker as one can?
> 
> Now I'll hear from some "you got to use standards".  I'd ask "why?"  The 
> problem with standards is, everybody knows them.

There are two benefits from going standard.

Interoperability. If the communication is based on standards, then
software from different vendors can communicate. SSL (TLS 1.2 or 1.3
of course!) is widely supported standard so C programs on VMS,
Java programs on Linux and VB.NET programs on Windows can communicate
without problems due to the standard.

Security. The public known standard protocols and algorithms are being
reviewed by thousands of mathematicians all over the world. A home grown
protocol and algorithm will be reviewed by a few software engineers
which may or may not have math/cryptography knowledge. The first will
simply result in a better solution.

Good cryptography does not depend on protocols or algorithms
being unknown. It is possible to constructs stuff that are secure
even with known protocols/algorithms. And protocols/algorithms
that are not secure if known are very bad. They will eventually leak.

Arne