Unfalsifiability of security claims
https://www.microsoft.com/en-us/research/wp-content/uploads/2015/09/unfalsifiabilityOfSecurityClaims.pdf [www.microsoft.com]
2018-01-18 19:37
There is an inherent asymmetry in computer security: things can be declared insecure by observation, but not the reverse. There is no observation that allows us to declare an arbitrary system or technique secure. We show that this implies that claims of necessary conditions for security (and sufficient conditions for insecurity) are unfalsifiable. This in turn implies an asymmetry in self-correction: while the claim that countermeasures are sufficient is always subject to correction, the claim that they are necessary is not. Thus, the response to new information can only be to ratchet upward: newly observed or speculated attack capabilities can argue a countermeasure in, but no possible observation argues one out.
This is perhaps a bit too formal to make for an easy read, although the general idea rings true. We pile on advice (particular example: rules for passwords) without fully analyzing what’s necessary or beneficial. The reminder that we may not know which defenses really work seems helpful; the formal proof less so.
source: grugq