RSA 2010: Q&A with Bruce Schneier

Bruse Schneier: SSL doesn't matter, it's all in the database

V3.co.uk managed to get five minutes with security legend Bruce Schneier at RSA 2010 in San Francisco to get his views on the current threat landscape.

Yesterday we saw a presentation saying that anti-virus systems are failing 10-30 per cent of the time. What's your take on that?
I don't believe that, otherwise I'd be infected with lots of malware. If it is, I'm not paying attention. It's true that signature-based anti-virus is reaching the end of its useful life, but I'm not seeing data that supports that position.

We've also seen Secure Sockets Layer (SSL) come under attack, and some experts are saying it is useless. Do you agree?
I'm not convinced that SSL has a problem. After all, you don't have to use it. If I log-on to Amazon without SSL the company will still take my money. The problem SSL solves is the man-in-the-middle attack with someone eavesdropping on the line. But I'm not convinced that's the most serious problem. If someone wants your financial data they'll hack the server holding it, rather than deal with SSL.

But doesn't SSL give consumers confidence to shop online, and thus spur e-commerce?
Well up to a point, but if you wanted to give consumers confidence you could just put a big red button on the site saying 'You're safe'. SSL doesn't matter. It's all in the database. We've got the threat the wrong way round. It's not someone eavesdropping on Eve that's the problem, it's someone hacking Eve's endpoint.

So is encryption the wrong approach to take?
This kind of issue isn't an authentication problem, it's a data problem. People are recognising this now, and seeing that encryption may not be the answer. We took a World War II mindset to the internet and it doesn't work that well. We thought encryption would be the answer, but it wasn't. It doesn't solve the problem of someone looking over your shoulder to steal your data.

Won't all this harm internet commerce?
Yes and no. Sure it's a problem, but e-commerce works moderately well. When you consider that 30,000 people die in the US from road accidents, the effect of computer crime must be taken in context.

What about online banking? Why is it taking so long to sort out phishing fraud?
Well, if the banks continue to make money it could last a long time. Let's not forget that credit card companies have been dealing with fraud pretty much since credit cards were invented. As long as the costs are low, they'll deal with it. It could get really bad, but I think we'll muddle through. We muddle through with burglary, murder and a host of other things. It's all relative.

What's your view on the opening up of the Comprehensive National Cybersecurity Initiative?
Well, the devil is in the details. Most of the useful stuff is still classified, so if there's no useful stuff in there it doesn't matter. [White House internet security adviser] Howard Schmidt is certainly effective. He's one of the few people I know and trust, and he's good at this. But you can't make things work in Washington if you're swimming against the tide.

Finally, as an avid reader of your Schneier on Security blog, what's your obsession with squid about?
I did actually get an email from someone telling me I should post more on security and less on squid, as though there was some kind of trade off! What can I say? I just like squid.