This post will be a little outside the norm for my blog in that I’ll be reviewing software, an Alpha release from a company called Keybase.
Let’s start out by looking at public key cryptography between two individuals. A work flow that is somewhat common and in today’s day and age, where privacy should be of the utmost concern between even the most basic of Internet users, but still somewhat difficult to achieve for anyone that’s not an advanced user.
Before we go any further, a level set. This post will not dive into the working of public key cryptography, the differences between certificate based and an approach such as GnuPG, or the pros and cons of each beyond what’s needed to illustrate various points. There are multiple posts online that cover these topics and I encourage you to become familiar with them if you are not already. I am also simplifying some aspects of how public key cryptography works in order to convey a point to the widest possible audience.
For too many years the responsibility of security in software has landed squarely in the lap of the customer. That’s YOUR lap, if you’re keeping track, but I’m not telling you anything you don’t already know. I’ve been there and I know that pain, all too well.
The process typically looks like this. You install a product then you spend days or weeks tweaking it to a hardening guide from the company that wrote the software. Even worse if you’re hardening to a guide or instruction that the vendor had absolutely no hand in writing at all. We call that Hardening in the Blind, and that’s a whole other topic I’ll save for another post. It happens far more often than you think, especially in the DoD community.
So if there are hardening guides for a product why can’t those requirements be inherent within the platform? Why must they be bolted on to the product, an afterthought if you will? I’ve been asking myself that question for years, and I know it has crossed your minds as well.