Ok. Here's a small rant and a question: I am an Air Force Security Specialist. I'm always looking for a more secure way for sensitive communications / business. What bothers me is how we currently do business. Examples: Today, in 2021, the cost accounting system I'm required to use for my time cards and bill programs requires me to use Internet Explorer, TLS 1.0, and Active X; my computer is configured with Windows 10, with Defender and McAfee running; the DoD has implemented new portals written in Flash until last year. I could go on...
I believe, if you want a secure system, limit your attack surfaces and control as much of your environment you can. So...
Here's my question: How hard would it be to create a server and client for secure communications. Connections would be through a client other than an internet browser. Connections would use SQRL or PKI for authentication. After authentication, encrypted connections would only support ASCII text. No graphics, no JAVA, no videos, no Active X, etc. Like the Wise and Vax terminals we used back in the day. Wouldn't this greatly reduce the attack surface? Less exploitable code? Less interpreters? How hard would this be to implement on a Linux system? I imagine you could create a custom Linux kernel with strictly limited functionality to limit attack surface.
I would be the first to sign up for a banking service that only used ASCII text to conduct business. I don't need to see ads when I want to transfer funds between accounts. I don't need trackers, like buttons, or other code running and tracking me when I want to see my account balance. Does this make sense? Am I being stupid?
Thanks if your read this.
dc
I believe, if you want a secure system, limit your attack surfaces and control as much of your environment you can. So...
Here's my question: How hard would it be to create a server and client for secure communications. Connections would be through a client other than an internet browser. Connections would use SQRL or PKI for authentication. After authentication, encrypted connections would only support ASCII text. No graphics, no JAVA, no videos, no Active X, etc. Like the Wise and Vax terminals we used back in the day. Wouldn't this greatly reduce the attack surface? Less exploitable code? Less interpreters? How hard would this be to implement on a Linux system? I imagine you could create a custom Linux kernel with strictly limited functionality to limit attack surface.
I would be the first to sign up for a banking service that only used ASCII text to conduct business. I don't need to see ads when I want to transfer funds between accounts. I don't need trackers, like buttons, or other code running and tracking me when I want to see my account balance. Does this make sense? Am I being stupid?
Thanks if your read this.
dc