- #Cryptocat media gets insanely backing to generator#
- #Cryptocat media gets insanely backing to software#
This is especially dangerous for crypto because these people might not understand the bugs they've created. They read a book or two, they read some source code, and then they implement their own version.
#Cryptocat media gets insanely backing to generator#
See, for example, the random number generator bug in Debian. Smart people and many eyes make mistakes with crypto.
#Cryptocat media gets insanely backing to software#
With cryptographic software a small, subtle, hard to find bug could render the product pointless could make the cryptography trivially easy to crack. See any bug tracker for bugs which have been left for years. Most of those bugs can be left without too much impact on the users. The thing about the cryptocat thing is that there are questions about transparency that are valid (and I've seen your conversation on twitter and agree with some of your points), but I'm trying to avoid falling into that situation. That's not to say you're wrong, I think you have some valid points but in every other domain it appears there's a good enough level and when I at least encounter UK government crypto we're told it's the same. I see where you're coming from with it but to take your point I can pull keys out of a memory dump, who cares which process it comes from? In this case does it mean we should all wait for a perfect OS that scrubs memory on everything properly and encrypts swap?
![cryptocat media gets insanely backing to cryptocat media gets insanely backing to](https://m.atcdn.co.uk/vms/media/ae42e5b9439c497bb4dde0d390736944.jpg)
It's a matter of having something resilient enough for the use case not to matter. Don't make it harder to get found.Īs someone who's done a lot of non-crypto side channel stuff (particularly around signal modulation for exfil) I'm of the view that side channel stuff happens and it's not exclusive to crypto. Think of it like being a little kid lost in a shopping mall.
![cryptocat media gets insanely backing to cryptocat media gets insanely backing to](https://64.media.tumblr.com/003f9030bd019c491f7aaa8e1ec7bf8e/ab28b1e5cfbc3ff8-e8/s400x600/58bc13e61a146c46675f28593157b90c366bf9ed.jpg)
How could anyone have any kind of grip on the safety of a system that fundamentally changes its crypto constructions so often?Ī lesson here: if you have to implement cryptography - and you and your users would be much better off if you didn't, and rather relied on a standard implementation like PGP - do one thing and stick with it. I'm not sure I've ever seen a system as popular as this so quickly take a tour of so much of cryptography. The difference between symmetric-keyed password-based encryption, RSA, Diffie-Hellman and ECC (presuming ECDH?) isn't minor it isn't a feature-level distinction. The hardest part of this to read for me isn't the vulnerability, but rather:Ģ011 Passwords: BPKDF2-HMAC-SHA1 with 1000 iterationsĢ011 Passwords: BPKDF2-HMAC-SHA1 with 600 iterations