| Yes. Why we do web? Because lazy sysadmins blocked all but http. But we still need to communicate. Let's do udp like streams on top of tcp. And may be we need to open firewalls still to make A&B communicate without going through a Central stuff C to have no SPOF. Let's invent STUN a way to trick firewalls into opening an incoming transmission behing a FW. Our security seems broken. Indeed. What do we do? We put more broken stuff on the web like JWT/OAUTH. And the STUN bite into your security? Either ignore it or use a «DPI» proxy. But it breaks the purpose of secured communications and still does not solves the problem, and breaks TLS. Wait we have IPSEC in IPv6, no matter that cryptographically it is considered weak, it is by default in windows, PS4, and we have open source server... that are buggy as hell with root rights. Maybe PGP, SSH, roll your won crypto? Good idea, no users know how to use them correctly, devops included... And what about the multiplication of passwords and credentials? Let's use broken application with root rights and bugs to serve as a wallet that has a good UI, or an good enough application no one can use because of the restrictions? Money is based on trust. The real harm that can happen to IT is to lose the trust of the customers, hence its value. |