Re: General security question

["Marcus J. Ranum" <mjr () nfr com>]

Carson Gaspar wrote:
> > By the way, as a general rule, a VPN is useless if you don't know
> > anything about the security at the other end. Indeed, the whole notion
> > of doing a secure transaction/data transfer to a site where you don't
> > know anything about the security is kind of dubious.
>
> A _minor_ disagreement. A VPN provides privacy up to the partner's demarc. 
> At that point liability for any breach of privacy is the partner's (either 
> on their net, or because they exposed the keying material).

That makes sense if you're interested in butt-covering. If you're
actually interested in security, then you've got to take into account
the state of the partner's network.

Butt-covering's a tactic we have to resort to all too often, at the
expense of really doing the right thing, because it's much harder
to do the right thing than to almost do the right thing. :) Actually,
you can almost break it down into a game-theory style prisoner's
dilemma: if you want to do the right thing but any of the other
entities involved is just interested in butt-covering, it's provably
impossible to do the right thing thereafter.

mjr.
---
Marcus J. Ranum     Chief Technology Officer, NFR Security, Inc.
Work: http://www.nfr.com
Play: http://pubweb.nfr.net/~mjr


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards