Web-based cryptography is always snake oil (www.devever.net)
from overflow64@lemmy.ml to cryptography@lemmy.ml on 10 Apr 2024 02:03
https://lemmy.ml/post/14270825

#cryptography

threaded - newest

Hobbes_Dent@lemmy.world on 10 Apr 2024 02:06 next collapse

  • A cryptosystem is incoherent if its implementation is distributed by the same entity which it purports to secure against.

Preach

N0x0n@lemmy.ml on 10 Apr 2024 08:54 collapse

NSA 👀

prettybunnys@sh.itjust.works on 10 Apr 2024 02:53 next collapse

This kinda sounds like the many decades old argument for security domains and trusted paths

Just, not quite as well made and not nearly as well informed.

20 years ago this was a cromulent argument. Today it’s just narrow

lemmy_in@lemm.ee on 10 Apr 2024 03:18 collapse

What a brain-dead take. If your threshold for true safety is “literally no one can force you to decrypt it or affect the system in any way” then of course it’s insecure, and so is everything else unless everyone writes their own crypto implementation yourself locally.

“oh I compile my binaries from source so I’m safe”

Someone could compromise the source repo and have it serve a compromised version to your machine. I guarantee you aren’t reading the entirety of the open SSL source code before you compile it.

Anyone that takes this article seriously should read On Trusting Trust. It’s a very short essay that states the point much more eloquently than the post author that you eventually have to trust someone. Whether that’s Apple or Signal or some random maintainer of your crypto implementation library, you have to trust someone that it hasn’t been backdoored.