Wednesday 11 June 2008

Security without trust

Can we really have security without trusting someone or something?

I came to think about that the other day when trying to improve a server backed desktop application authenticating itself through a third party by popping upp a web browser showing the third party login form. As there are no really good web browser components for Java that you can use without too much hassle I was thinking about doing a Swing form which would post the information to a web page over SSL.

The suggestion was considered insecure and was rejected. When I thought about it I came to the conclusion that this was a matter of trust or should I say distrust. Why was such a solution less secure than popping up a web browser transmitting the same sensitive information? For some reason the third party felt more secure if the information was handled by a random web component from any developer than from a Swing solution by me.

It is all a matter of trust and to have security you must trust someone. When you go to a secure web page you must trust Thawte or Verisign, or whatever certificate authority has issued their security certificate, has done a good job validating the certificate owners identity. Whenever you register on a web page you trust that the site will keep your information secure.

Security is a matter of trust. Who do you trust?

I am not an early adopter

This is the first time I write a blog entry so you can definitely say that I am no early adopter when it comes to this weblog thing.

The same goes with Java. I did some pathetic attempts back in the 90ies but not until beginning of this century I really got into it and got really hooked.

But I guess it's a good thing that I am a late adopter. It is better to learn from other peoples misstakes. Life is too short to make them yourself.

This it for you, mom.