I agree with your general point, but suggesting non-techies should learn about cryptography in order to stay safe online is pretty ridiculous; if people need an understanding of cryto to be safe we might as well switch the Internet off.
And that's how you get people that think that every website starting with "https" is secure and legit, even though it's trivial for malicious sites to use TLS.
Fundamental cryptographic primitives (encryption, signatures,...) don't require any advanced math to understand if you don't go into the concrete instantiations. The technical community should really try to better teach these concepts to the general public as we move further into the digital age.
I think people need to understand what's protected. Something like "https guarantees that your are connected to the website displayed in the address bar and that no one can see the content of the communication"
It's important because for example it makes it clearer why they should still check the url in the address bar (and not get phished) or that the communication with the website itself is not hidden (only the content is), etc.
what do you think you're teaching, then? Just general good practices?
A teen can be told and taught to wear a condom without explanation of the virology and biology behind the things that it helps to avoid -- similarly Grandma can learn the importance behind https without memorizing the cypher suites; it's still an aspect of cryptography.
The important point is that TLS is referred to as crypto in some cases, and I believe that's what the GGP was referring to. Were I writing an expository piece, sure, I might use different language, but that's not really what my reply was about.
To give another example where this comes up: keeping backups of your data is prudent. Encrypting those backups is a good idea in a lot of cases to protect your data in case of device theft. While most modern systems make this as simple as possible for the casual user it still helps the user to have a basic understanding of what’s actually going on and the implications.
If it were up to me every person with access to a computer where other people's personal or financial data is handled should be required to get a security certification stating they have a basic understanding of digital signatures, certificates, HTTPS, encryption and how to protect against common threats (phishing, social engineering). If people can't do that they might as well go back to typewriters and FAX machines.
In banks (and similarly regulated institutions) there's mandatory security training to educate employees. Sadly, in my experience, this "training" is essentially like those kids rides at an amusement park where you're stuck in a trolly till the end – it's slow and mostly tedious but sometimes there's one bit of trivia that might delight. In the end, there's a very simple multiple choice test that is worded to make it more or less obvious what the correct answers are. If you do get it wrong you get infinite retries and there are only so many questions...
I'd love to see mandatory education in basic cryptography and such, but in reality I'd assume that even that would end up being security theater for the sake of ticking a box on the compliance score sheet.
This sounds like the OSHA 10 class I recently had to do. I think the issue here is that if a business wants workers it is incentivized to make the tests as easy as possible, not to make sure their employees know what they’re doing.
Agreed. On top of that, everyone who owns a car should be required to learn how to change their serpentine belts, oil, replace spark plugs, and alternator. They should be required to sign a paper saying they will change their tires with a spare on the side of the road and carry a jump starter with them at all times. The roads would be a safer place if people knew what was going on inside their cars and how to operate them.
> I agree with your general point, but suggesting non-techies should learn about cryptography in order to stay safe online is pretty ridiculous
I think it's about understanding concepts and uses, not the inner workings. As an example, Glenn Greenwald (despite being a reporter handling sensitive topics) didn't know how to use encryption when he was contacted by Snowden, and learned it later. [1]
I think it would be very useful if the general public could use encryption to the same level they drive cars.
