On not using more security than you need

This post does not represent the views of my employer or anyone else but me.

Using secure transmission channels involves two main issues: content security and end-to-end authentication. Consider the case of someone who provides news to a variety of paying customers. Does it make sense to use something stronger than just ordinary FTP or HTTP with usernames and passwords sent in the clear? Maybe not. Communications security isn't free, after all; it costs the provider for certificates, bandwidth, and computer cycles, and it costs the client likewise, plus the extra programming effort if the news is to be automatically processed.

The information in news is essentially all public knowledge: its value resides in its timeliness and reliability. Typical customers for news pay by an annual contract, not per download, so they have nothing to lose if the content is stolen by some third party. Does the news provider? Probably not, unless the theft happens on a truly massive scale. Occasional freeloaders are simply no big deal.

As for reverse authentication (is the customer getting its news from the real news provider?), a successful DNS spoof would be far more effectively employed against some e-business site that actually passes around credit card details or the like. News just isn't in that category.

Finally, why would anyone pay to get news in the first place that is available on many websites for free? For one thing, news changes, by definition; this tends to improve the stickiness of sites that display it; when users return to the site, they will find that things have changed at least somewhat. For another, the client may believe that the news provider's credibility (a non-credible news provider doesn't last long) will rub off on him.

No comments: