What is snake oil

Refers to a cryptography or security product that makes exaggerated claims of what the product is capable of, giving the user a false sense of security. The term snake oil, which is credited to Matt Curtin for using in reference to computer security products, comes from the 19^th-century American practice of selling cure-all elixirs in traveling medicine shows. Snake oil salesmen would falsely claim that the potions would cure any ailments. The term has been appropriated to mean security and encryption products that make impossible claims, such as unbreakable codes.

The problem with bad security is that it looks just like good security. You can’t tell the difference by looking at the finished product. Both make the same security claims; both have the same functionality. Both might even use the same algorithms: triple-DES, 1024-bit RSA, etc. Both might use the same protocols, implement the same standards, and have been endorsed by the same industry groups. Yet one is secure and the other is insecure.

Many cryptographers have likened this situation to the pharmaceutical industry before regulation. The parallels are many: vendors can make any claims they want, consumers don’t have the expertise to judge the accuracy of those claims, and there’s no real liability on the part of the vendors (read the license you agree to when you buy a software security product).

This is not to say that there are no good cryptography products on the market. There are. There are vendors that try to create good products and to be honest in their advertising. And there are vendors that believe they have good products when they don’t, but they’re just not skilled enough to tell the difference. And there are vendors that are just out to make a quick buck, and honestly don’t care if their product is good or not.

Most products seem to fall into the middle category: well-meaning but insecure. I’ve talked about the reason in previous CRYPTO-GRAM essays, but I’ll summarize: anyone can create a cryptography product that he himself cannot break. This means that a well-meaning person comes up with a new idea, or at least an idea that he has never heard of, cannot break it, and believes that he just discovered the magic elixir to cure all security problems. And even if there’s no magic elixir, the difficulty of creating secure products combined with the ease of making mistakes makes bad cryptography the rule.

Related posts:

1. Good cryptography is an excellent and necessary tool
2. If It’s Not Snake Oil, It’s Pretty Awesome (Part 2)
3. Onetime pads in cryptography
4. Glossary for cryptography
5. Do we need a security industry? (and eliminating uncertainty)
6. Economics of secure software

Related posts brought to you by Yet Another Related Posts Plugin.