Here's a solid discussion regarding threat models and how protocol designers fail in the face of invalid assumptions. It touches heavily on themes found in Eric Rescorla's paper, The Internet is Too Secure Already, which I had the priviledge of recently hearing in person. His talk was refreshingly anti-Fear Peddling. He even made mention of a point too often glossed over; E-commerce is a success not because SSL is so great but because you have limited liability from credit card fraud. [via zooko]