Encryption is a vague term

Story: Mozilla: Everyone's scared of hackers but clueless about fending them offTotal Replies: 0
Author Content

Mar 18, 2017
12:55 PM EDT
zdnet wrote:Mozilla says most people are "pretty fuzzy" about the way encryption works. Some 65 percent say they know a little about encryption but wish they knew more, while almost third said they know almost nothing about it.

Encryption while 'online' could mean:
  • Checking that server to client traffic is encrypted via TLS by observing the https lock indicator
  • Encrypting email using either x509 or PGP keys.
  • Encrypting uploaded personal data using either x509 or PGP
  • Checking DNSSEC signatures via the appropriate browser extension
  • Any number of and/or combination of employing cryptographic signatures and encryption techniques
In my view, use of strong cryptographic techniques have been stymied by the preference of x509 keys signed by CAs as the default identity assurance model. There's also the muddied waters over 'certificates' versus 'keys'... these things are the same thing. A certificate is a signed public key. There is no cryptographic difference between an x509 cert and a signed PGP key. Both are public keys that have been cryptographically signed. The main difference between x509 and PGP is the trust model of the signatures on the public keys. However, there is no reason a PGP key can't be signed by a corporation, government, or trusted domain and used the same way as an x509 public key is used... to establish a trust root.

So... what about 'encryption' use online? What does that mean anyway?

The main issue is not encryption, it is trust in the cryptographic signatures contained on public keys.

Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]

Becoming a member of LXer is easy and free. Join Us!