Hey Safefunds: “Non-standard” does not mean “more secure”
There’s a company called Safefunds, which is essentially a transaction-escrow service. Since you are giving them potentially large sums of money, and quite literally banking on their security to protect the transaction, the following statement on their site is somewhat troubling:
The Safefunds’ patent pending system uses a non-standard computer protocol making it more secure from “hacker” attacks. — Safefunds’ page on security
How do I know that their “non-standard” protocol is any better than “standard” ones? I can certainly think of standard protocols that are plenty secure enough for me to trust my transactions to — but how do I know if theirs is better or worse?
I don’t think I’ll be giving them any of my money.
View blog reactionsComments
Comment from radiantmatrix
Time: 12. May. 2008, 13:47
Actually, you have totally missed the point.
Thank you for responding. However, I have to say that it is you, sir, that have missed the point.
It doesn’t matter how large SafeFunds’ attack surface is — which is what you’re referring to when you make the Windows/Linux and OSX/Vista comparisons. What matters is trust.
Imagine SafeFunds said “we’re using 128-bit SSL and TLS to secure our links, and all confidential data is secured using AES-256 with Diffie-Hellman for key exchange”. Those algorithms and protocols have been widely reviewed, and have a proven track record of resisting attacks. If SafeFunds is lying about actually using these things, they can be sued if people lose money. Therefore, I don’t have to trust SafeFunds very much to trust my money to them — I have a high degree of confidence that they’re using secure technology.
However, since they don’t say what they’re using — and in fact strongly suggest that they’ve built something themselves — I have to trust them a lot more. Not only do I have to trust their intentions, I have to trust that their programmers and engineers knew what they were doing, and I have to trust that their “non-standard protocol” works as advertised. And, I have to do this with no data except “well, it hasn’t been hacked yet.”
Don’t take my word for it, I’m not the only security professional out there. Instead, go research what people like Bruce Schneier — people with dozens of years of security experience — have to say about “secret” and “proprietary” security solutions. In nearly all cases, these “proprietary” approaches turn out to be snake oil.
Comment from Mike Black
Time: 12. May. 2008, 07:27
Actually, you have totally missed the point. I think they are saying that whatever their non-standard protocol is, it does not attract the hacking types like Windows or Linux does. Think OSX vs. Vista. Anyway, I bought my Vette theough Safefunds and the service works and its cheap.