The Brunch Table

Back in the early 90’s, the Cypherpunks made a lot of noise about how cryptography was going change the world, keep people from snooping on your email, tell you who you can trust, and the like. Well, the math may have been sound, but getting the stuff to work for ordinary people has been much harder.

A decade has passed, and just about everyone still sends email that the feds (and anyone else who’s watching the network) can read without breaking a sweat. Sure, it’s possible to send private mail from most modern mail programs, but setting it all up is such a hassle, and how many people would actually know how to decode it once they received it?

As for the trust thing, trust certificates are better than nothing when you’re giving Amazon your credit card number, but they’ve got their own issues. I got an email today from someone I’m working with, asking if this Sun alert affected the program that I’ve been working on. Essentially, one of the most basic Verisign certificates that many programs and websites use to express trustworthiness expired recently, causing some websites and Java programs to toss up confusing error messages, and prompting Norton Antivirus to go on a Windows-hobbling rampage. Sure, there are some good reasons for these certificates to expire, but the fact of the matter is, software is built by humans who forget things like certificate renewals. The potential for end-users to suffer for the negligence of others is all too great.

So now software and website publishers are scrambling to install fresh certificates, and in the meantime, VeriSign is telling people that it’s OK to ignore the “invalid certificate” error messages–which kind of defeats the purpose of having them in the first place.

Ultimately, cryptography has turned out to be more of a user interface problem than a math problem.