I do not have much to say about crypto except that the ‘Public Key Infrastructure” (PKI) is worse than useless. YURLs and modest browser mods to support them are badly needed. Crypto is hard and there is much good work out there, some of it deployed.
Capabilities are the solution for most platform security problems. They are catching on too slowly. We do not yet have a model of user capacity to reason about and interact with agents within his computer. There are some people that we cannot help. We need to harness natural paranoia.
The attack surface of the typical computer is getting larger faster than the holes in the surface are being fixed.
It is feasible for me to reliably interact with my bank from my current lap top hardware but with different software, relying on 400KB of reliable software, even while GBs of legacy software run on my machine. It is feasible, but not with current software.
Identification of natural persons is not my department.
There is a place for trusted 3rd parties, but current cloud patterns are not it (with a few exceptions perhaps).
Too many attacks today merely exploit the platform as designed and succeed without relying on bugs. The confused deputy is in this category. Another category is that installers want root authority for no better reason than writing stuff in the same conventional directories. The apartment design shows that other conventions are possible: No bugs involved here either: all the code works as designed, including the code from the bad guys. I don’t have OCaml installed today on my Mac today because their installer wants root authority.
Another category is like heart-bleed where the code of an infrequent protocol is run with excess authority. That bug assumed that incoming packets conformed to the rules. When inexpensive flexible system level protection is available, as in cap systems, the code that responds to the heart-beat protocol runs with only the minuscule authority it needs, which is to return a packet, derived from only the input packet. It had and misused its enormous authority to read (and send) any data in the SSL server, including keys in use by others. Yet another category of bug is where a server is in charge of discriminating among it clients. A browser is a very complex program responding to many protocols. The code that turns html into pixels has no need to read my files, let alone write them, nor any need except to respond with an array of pixels, and it does not need the right to modify pixels outside its own allocated portion of the screen.
Capability discipline at the foundation level addresses all of these issues. It solves most of them. The most common answer we heard as we tried to sell this technology: “We are sure that when and if security becomes important someone will provide a Unix module that fixes things.”
Yes, many exploits rely on bugs that are uncommon in languages better than C. ASLR sort of addresses most of those.
Alas migration to Keykos is not a simple, although there are inobvious migration paths.
There are other cap platforms too.