Whitfield Diffie has been credited with making privacy possible in the digital age. As a co-inventor of public key cryptography, he is one of the most respected contributors to the field of computer security and is in constant demand as a speaker.
In his day job as Sun Microsystems' Chief Security Officer, he works out of a corner office in the Sun Labs. He's just down the hall from where scientists are working on Java-based sensors and Sun's next-generation Proximity Communication processors, which seek to do away with wire connections.
Though he describes his job as a "marketing" position, Diffie doesn't sound anything like a corporate pitch man. He met with IDG News Service at his Menlo Park, California, office recently to share his thoughts on Microsoft, security, and privacy. Following is an edited transcript of that conversation.
IDGNS: When the PC went on the network, there were security implications that nobody thought about. Microsoft has spent the last five years fixing all of the security problems that maybe could have been foreseen ...
Diffie: Wait a minute. I think there are two issues. I think you'll find that lots of them were foreseen. I think the critical thing [is] that Microsoft showed that it's judgment was correct. If it had paid less attention to security, maybe it would have had less market share.
It had no real motivation, I think, until the last few years to try to fix these things. The interesting thing to me is why it's been so hard for them to do so, because they must have half the smart people I know about in the industry, and in security, working for them. And I think it has to do with the problems of legacy code, and the legacy interface expectations of their customers.
IDGNS: Nowadays we don't hear about widespread security outbreaks, but there's a sense that many of the things we do on the Internet are not trustworthy. People going to Web pages do not have confidence that they are where they think they are.
Diffie: I think that's a well-placed mis-confidence.
IDGNS: So, are things getting better?
Diffie: Phishing is the security problem, at that level, that I hear the most about right now. But I certainly don't worry about the security arrangements of going to Americanexpress.com, where I probably make the single largest most routine money transfer that I initiate. I'm not the least bit worried about that, partly because of the law, and partly because the essential point of SSL [Secure Sockets Layer -- a standard used in secure Web connections] is not about the quality of the cryptography -- about which there's often some doubt - but about the fact that the certificate costs enough money that the thieves aren't putting up a front.
It's hard for me to believe that [the Internet] is getting relatively more secure. The growth of communications has steadily outrun the protection of communications over the whole history of human communication. Now I conjecture that the expansion of networked communications and of society's dependence on network communications is outrunning the security of that network and will continue to do so for quite some time.
So the consequence of believing that is [believing] we're becoming more vulnerable, although to what events, it is hard to say.