[Linux-aus] comment for an article on Government website accessibility

Paul Coldrey paul at ensigma.com.au
Fri May 29 14:05:26 EST 2009


Rhett Kipps wrote:
>
> Quite interesting that it claims email is insecure then:
> a) hosts a webform without using SSL, ensuring that is not encrypted 
> either, and susceptible to a MITM attack;
> b) suggests postal mail to the address provided in the clear over the 
> web is somehow more secure, although also susceptible to a MITM attack.
>
> Seems to be a load of rubbish.  If they were genuinely concerned about 
> security, the webform would utilise SSL, and the page detailing the 
> "secure" postal address should also be served over SSL to ensure the 
> web server's identity.
I would have thought the main reason not to post an email address is 
because it would get inundated with spam like every other email address 
that is listed on the web.

Whilst at a theory level, I agree entirely with Rhett's comments:
1. a MITM attach on the form is a non-trivial undertaking - far trickier 
than spoofing an email (which is of course completely trivial)
2. intercepting snail mail is surprisingly tricky right up to the point 
where it hits the mail box. Before this the only real risk is the mail 
man tasked with making the delivery (in processing there are lots of 
machines and lots of cameras where ever people are involved). Hence if 
it is deposited securely then it is quite secure from all but a very 
small bunch of Australia Post employees.

I guess my point (if I indeed have one) is that we all know most pollies 
are "dumb" when it comes to techonology. I am not convinced it is 
helpful to snipe at them at this level. Let's get them to understand 
open source is a viable alternative,.. then we can start to teach them 
about what is really involved in web security. Personally, I think it 
would be pretty stupid for Kevin Rudd to advertise an email address.

Cheers,

    Paul



More information about the linux-aus mailing list