Nadia Heninger Is Watching You

It’s been a bad week for online security. An “extremely critical” Ruby on Rails security hole; a Yahoo! Mail XSS exploit; and yet another Java 0-day vulnerability. I know, I know, security is hard: still, it’s difficult not to be left with a frustrated throw-up-your-hands “can’t anybody do anything right?” feeling.

So I paid close remote attention to the Real World Crypto workshop at Stanford this week. (OK, fine, I followed it on Twitter.) And I was struck, in particular, by this proposal from Ron Rivest–yes, that Ron Rivest

Finally, something that the egregiously broken software-patent system would actually be good for! Here, you can have your security technology for free…as long as you’re using it in a responsible manner. But if you misuse it, or fail to patch, or fail to upgrade once vulnerabilities become apparent, then you have to start to pay.

I think that’s kind of brilliant. Enterprises take security seriously to exactly the extent that they have an economic incentive to do so. And let’s face it, that’s not particularly strong evolutionary pressure. Lose a few million credit card numbers, and what happens? You get a few days of press attention, and maybe a creeping class-action suit; otherwise, pretty soon, most everyone forgets. But if you have to pay for not having your security act together, then you’ll soon start paying attention to it, too.

Oh, don’t get me wrong: I’m not demanding that every app and every site become a heavily-encrypted Fort Knox. But there’s no excuse any more for flagrant idiocies like storing passwords in plaintext, or failing to transmit personal information via HTTPS rather than HTTP. (Which Yahoo just started doing this year. IE in 2013. Sigh. But thanks, Marissa!)

Obviously pay-for-negligence patents wouldn’t address all of these problems. But maybe they’d change the all-too-common attitude wherein basic security and privacy measures are an afterthought.

Meanwhile, Princeton/Microsoft researcher Nadia Heninger presented a paper wherein

We perform the largest ever network survey of TLS and SSH servers and present evidence that vulnerable keys are surprisingly widespread.

(This is bad.) And —

promptly became the Chuck Norris of the crypto world–

I know, I know, very funny. But all this highlights a larger point: There are security holes everywhere online, some of them quite gargantuan. Don’t even get me started on the colossal debacle of certifying authorities, or the problems with Skype.

It would be nice to think that enterprises will fix these problems out of the goodness of their corporate hearts, or their desire to do the right thing, or their fear of potential litigation. But the only incentive that’s all but guaranteed to work is a financial one; and Rivest’s elegant proposal just might create just that. Here’s hoping it catches on.