Hacker News new | comments | show | ask | jobs | submit login

Quoting Dan Geer: "Convenience, freedom, security - choose two."

Solid cryptography concepts were never easy to implement and use.

My main problem lies not with the Gnu/PG or PGP software implementations, but with the actual platforms. Do I trust my iPhone/Android/public internet cafe computer/the family computer? Is it compromised? What about your computer manufacturer? Lenovo, perhaps? Or Apple?

The problem of information safety does go far beyond software. Neglecting this is not an option.

There is certainly life in the old dog called pgp, but I am yet to be convinced of a mass market software concept that allows me to have the same level of confidence in its security as the open source packages I have installed on my offline computer.

"The paranoid will survive."




Choose two? How do I pick security and convenience without freedom? I can't think of any way giving up freedom makes those easier. Blind trust can make me ignore security problems, but I can have blind trust and freedom, or lack of freedom without blind trust.

I feel like "security or convenience" is a better representation of the choice, even if it's not as cute. Freedom is off to the side.


I probably shouldn't go around and disagree with quotes from people I have never heard about, but there is no law that means encryption has to be ackward, user-unfriendly or badly designed.



Can you name a single counterexample?

HTTPS: You can give up freedom and some security for convenience of 3rd party registrars! You can roll your own which is less convenient and likely less secure… Not really sure of the 3rd option here.


OTR?


WhatsApp.


WhatsApp fails freedom and arguably security.

Let's put things in context. Would you trust WhatsApp to be part of the US nuclear launch chain? Or talkes between the leaders of US, France, China, and North Korea.


No and yes.

The type of encryption used in whatsapp is not something I want to authenticate in anything that has to be dormant and used in an emergency without a network, but that doesn't mean it is bad crypto.

Yes, why not? You still need to ensure that the people involved with whatsapp can be trusted, but even the NSA can't do that in every case (ie Snowdon).




Applications are open for YC Winter 2018

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: