Crazy But Able

Larry Osterman has an interesting post on whether or not developers should learn crypto:

I’m all for developers learning about crypto. But developers also need to understand that it’s all well and good for them to understand crypto, as long as they don’t ever actually attempt to IMPLEMENT crypto.

Because if they do attempt to implement crypo, they’re going to get it wrong.

I think he’s exactly right. I’m a big fan of what Clay Shirky calls “situated software”, but unfortunately, much of that situated software is being written by people who don’t know what they don’t know. (If I had a nickel for every site I’ve seen that used HTTP GET to send login and password data to the server, I’d have… about $2.35.) A photoblogging system I looked at used a base64 encoded username as the secure cookie that let the system know that a user had logged in properly (if you don’t know what that means, it means that it would be really easy to log in as someone else as long as you knew their username.)

And that’s just web software. The consequences of implementing bad crypto can be even worse, because who uses encryption unless they have something to protect, right?

Also, don’t miss this explanation of Kerberos which he links to. It’s an oldie (I’m surprised I haven’t seen it before) but a goodie.

This entry was posted on Thursday, July 7th, 2005 at 12:46 pm and is filed under programming. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.