I’ve been talking with Felix Gaehtgens, who attended the RSA Conference this spring in San Francisco. Besides discussing the news from different vendors we came to another topic. Felix asked me whether I know Bruce Schneier, definitely one of world’s leading security experts. For sure I know him – not personally, but from his publications.
Felix than stated that even Bruce Schneier had been seen at the WLAN helpdesk of the RSA Conference – and Felix conceded that he hadn’t managed to access that WLAN. My comment on this: “I also didn’t manage to access the WLAN of the RSA Europe Conference in London in spring 2007. After some time I decided to use my UMTS card and pay the horrendous roaming fees.”
Oops, three experts struggling with a WLAN? Every one of us is definitely an experienced user with a strong administrative background. Looks like RSA has decided for a maximum of security. If no one is able to access the WLAN then there will be no security risks.
This experience puts a spotlight on the everlasting conflict between security and usability. If technology is too complex, it doesn’t really work. And while we know that RSA is able to implement easy-to-use solutions, it looks like they have chosen an approach for their event WLAN which is far too complicated.
The solution isn’t a reduced security – but it is a re-thought security where the things which are too complicated are changed. That’s applies not only to the WLAN at the RSA conference, but to every security technology.
I’m convinced that the slow adoption of PKIs and certificate technologies beyond SSL certificates for websites is mainly an issue of too much unnecessary complexity. If someone is talking about “Trusted Root Certificates” or, in German, “Vertrauenswürdige Stammzertifizierungsstellen”, he really shouldn’t wonder about some hesitating users.
Keep it simple – and make it secure. That might be more complex to achieve but that is what we require.