[ajross]

> As some people used to say, "security is binary; you either are secure or you are not".

I'm sorry, which people used to say that? I'm not aware of any serious security professionals who hold that opinion. "Security" is and has always been a complicated spectrum of interactions and requirements.

[rlidwka]

I don't remember the exact quote, and might have used one out of place.

I am thinking about it in binary terms, because it helps to prevent security through obscurity trap many seem to fall in.

My point is: the fact that a particular bug has security impart seems pretty binary. And dismissing one because "hey nobody will think of/work hard enough/have enough money/etc. to make use of it" isn't a very bright idea.

See 3rd party content under a legitimate url? The system is insecure. Period.

[schoen]

One thing you might be thinking of is "there should be one mode, and it should be secure".

http://iang.org/ssl/h3_there_is_only_one_mode_and_it_is_secu...

This isn't exactly the same as what you said, but I think it's an argument in favor of your point of view.

Another analogous thing is that academic cryptographers will regard an algorithm or protocol as broken if an adversary can gain a significant advantage (probability of distinguishing things that are supposed to be indistinguishable, reduction in work factor, etc.), even if the resulting work factor to mount the attack is still enormous. For example, if there were an attack that could break AES in 2¹⁰⁰ operations, AES would be considered broken even though we believe there is no one who can perform 2¹⁰⁰ operations, because it no longer provides the designed or advertised security margin.