Comment by lighthouse1212
7 hours ago
The 2023 timing obfuscation is a nice case study in security defaults vs edge cases. Most SSH users won't notice 100 packets per keystroke - it's noise in the bandwidth budget. But for high-frequency terminal apps, it becomes the dominant cost. At 2000 concurrent players updating 80x60 chars at 10fps, a custom protocol might be the right answer regardless of obfuscation settings.
You'd think the cover traffic would automatically cut out once the connection reached a certain rate though.
Just think of the trees burnt in the name of security!
I can think of a few things that burn more energy per second that I'll burn in my entire lifetime via the use of encryption.
Coincidentally, they're all, somehow, insanely useless.
Each of our devices spents a lot of energy dedicated to encryption. By now, all disks you did not set up manually are most likely encrypted and hardly any unencrypted package will travel out of your network. That's not to mention the tons of load and dedicated hardware we have just to terminate https and scan traffic for suspicious activity or the hardware being replaced because it's internal security triggered/broke.
In a perfect world, we could send all traffic completely unencrypted and never scan for a malicious payload, saving all that energy and hardware. But we do not live in that world and drawing the line with this minor, mostly unintrusive security feature seems strange.
> In a perfect world, we could send all traffic completely unencrypted and never scan for a malicious payload, saving all that energy and hardware.
In a world with such social cohesion, we'd be defeated by an alien species being able to quickly interpret and exploit our technology like in the hit film Independence Day(note, we're the defeating alien species in this example). https://www.youtube.com/watch?v=9DIjBGierkA
That's the judgement made with all consumption of energy. The benefits weighed against the costs.
Because of the harms of environmental change, there should be pressure placed to avoid damaging ways to generate that energy.
When people complain about the amount of energy being used, they are making the judgement on the benefits. This is subjective and people do not agree on the benefits. The argument you shouldn't do this because of the energy consumed is implicitly saying "My judgement on the worth of this supercedes yours"
Pretty soon it devolves into criticizing the energy use of things you just don't like.
A society has to accept that people have different opinions on things. That includes what it is worth using energy for.
Producing clean energy is something everyone should be able to get behind. There is a solid consensus that it would make a better world.
1 reply →
Shouldn't we sacrifice some security for convenience? And shouldn't we at least have a public discussion where to draw the line?
I already don't encrypt my Pinebook storage, because the device is low-powered.
I now disabled ObscureKeystrokeTiming on the ssh clients where it does not matter. And it should not matter in 99.9999% of cases.
P.S. There's a good reason airline frequencies are unencrypted AM and I hope IT "security" mindset does not reach its dirty hands up the air.
1 reply →