this talk is inspired by the title quote, part of a response to the question "how much cryptography experience do you have?" normally, it wouldn't have been a big deal. in this case though, the person i was talking to was someone who'd just given a talk on his new web-based, new-and-improved system for cryptographically-secure email that is easy-enough-for-anyone-to-use. a system he'd written in his spare time and was plugging hard so that everyone in the world could feel safe that their email is secure.
riiiiiiight.
it's been getting too easy lately. want proof? i'm going to bring up a number of these systems that promise security, anonymity, authentication, non-repudiation, whatever other buzzwords in the general field of cryptology that happen to be big at the time. and then i'm going to show you how and why they're broken, along with the steps that could be taken to improve them.
i'll also show how systems that are very good can still have their weaknesses, which can range anywhere from mildly annoying to rather problematic. while i may regret it later on, i'll describe and demonstrate a few "attacks" which most people seem to have overlooked completely.
the end result? hopefully the audience will have a better understanding of the common mistakes that novice cryptographers make, and will avoid them in the future. hopefully people will have a better idea of how to determine what to avoid if they want to actually be secure. and hopefully i won't offend anyone too badly in the process.