Hacker News new | past | comments | ask | show | jobs | submit | AnaniasAnanas's comments login

Nobody was ever fired for using DJB. Meanwhile I would gladly fire someone for using AES128 or the NSA-sponsored curves, despite being in Suite B.

> Meanwhile I would gladly fire someone for using AES128 or the NSA-sponsored curves, despite being in Suite B.

Why? Pointing SSL Labs at my bank, it's what they use (ECDH secp256r1). What does your bank use? Or is there a site that you consider more important than that one?

Would you fire the folks at Let's Encrypt, who only offer certs of RSA and P-{256,384}? Gmail, where they do offer x25519, but where most browsers use secp256r1?

Banks are not known for using the best/safest solutions. Just take 4 digit pins and 3DES into account for example.

> who only offer certs of RSA and P-{256,384}?

I am pretty sure that nginx and openssl only recently added support for ed25519 certificates. Although to be honest I don't really like the idea of let's encrypt. The addressing system that tor uses has solved that issue already.

> but where most browsers use secp256r1?

This is an issue. Browser vendors should prioritize the djb algorithms.

> some of them do involve using RSA with absurd key sizes and they'll likely fail the competition.

Only one (specifically DJBs joke Post-QC algorithm), and it did not pass to the second round.

> WhatsApp, Telegram and Signal use mobile phone numbers as identifiers

One notable exception (which as I understand is tptacek-approved) is Wire, which only needs an email.

I concede that Wire has essentially lifted the core crypto bones from Signal. But metadata collection is a clear distinction between Signal and Wire, so if what 'jcranmer is saying about email metadata is persuasive to you, your choice between Wire and Signal should be clear: use Signal, not Wire.

> Nobody actually wants to rely on a single entity (for or non-profit) for their communication

You don't have to do that. Protocols like tox for example are distributed and use DHT in order to find peers.

It's even worse than it seems. The certificates are only a few megabytes long. https://twitter.com/FiloSottile/status/1145091106138394625

Both Signal and Wire are FOSS though.

As much as I believe that Efail was the result of badly implemented email clients it's not like the OpenPGP standard hadn't any involvement with it whatsoever. DJB for example suggests small authenticated and encrypted packets, something that OpenPGP does not have. See https://groups.google.com/forum/#!original/boring-crypto/BpU...

Since I am apparently replying too fast and I need to slow down, here is my reply to the child post by Sir_Cmpwn:

> I don't really see the link between the email you posted and efail

GPG decrypts the whole message which might be gigaoctets long and throws it to the output. After it has been decrypted it checks the MDC (if it exists) and throws an error if the MDC does not match or if it is missing. Meanwhile if a OpenPGP message was composed of small authenticated packets GPG would be able to first authenticate if the MAC of the packet is correct and then return an error right away if it does not match. If it did match it would return plaintext and move on to the next packet. You can see now how efail would be prevented, right?


Do people use PGP nowadays? I was under the impression that pretty much everyone used GPG ever since it was released.

I don't really see the link between the email you posted and efail, other than the fact that PGP encrypts the whole message. I don't understand how, if it encrypted smaller parts of the message, efail could have been avoided.

PGP has semi-optional, strippable authenticators. Serious cryptographic protocols do not. Plaintext encrypted with a modern AEAD cipher --- forget protocols, here we're just talking about selecting reasonable primitives --- can't be decrypted without simultaneously authenticating. That's not how PGP (or S/MIME) works, and that malleability led to Efail.

No competent engineer would accept in 2019 (or, for that matter, 2009) a new cryptosystem that functioned the way PGP does.

The OpenPGP RFC bis does add AEAD. The spec is overall much too flexible IMO and could use some modernization, but I don't see it as un-salvageable, as you seem to.

OpenPGP is unsalvageable. One of the core goals of modern cryptography is to eliminate backwards compatibility with insecure 1990s crypto; OpenPGP instead lovingly preserves it.

Much of that could be solved by an implementation having user-controlled policies that whitelist/blacklist sets of algorithms. An implementation could be made with a sane default policy.

Of course, some things ought to just be replaced (S2K).

I tried exporting org-mode to latex in the past and found it extremely buggy. I don't really see a reason not to just directly use LaTeX instead.

I have co-authored several academic articles in Org mode with exporting to LaTeX. The main reasons for choosing Org were that (i) we wanted to include the analysis code, table generation and figures in the same file as the manuscript, and (ii) the workflow was Emacs-centric. The Org markup was simple, readily allowed for inserting most LaTeX, had nice tables, but was fiddly for some more complex tasks. I recently needed to convert one of the manuscripts from Org to Word - pandoc was very helpful.

We could possibly have used TeXmacs, R markdown (especially with RStudio), some variant of noweb, or even Jupyter with conversion to LaTeX using pandoc.

*Everywhere. My own school experience in Europe was pretty much the same as he described. And it is not only my school experience either, there were many cases of unpunished power abuse that the teachers engaged in in nearby schools.

The schools that I went to had around 300 students. It did not stop the abuse by teachers nor did it stop the bullying that the teachers ignored.

I never experienced or observed bad bullying or even physical violence (except for some minor skirmishes, usually between friends) during my school years.

We surely had our share of social awkward people, but they were left alone unless they themselves acted out, and they usually still made some friends.

We didn't have true bullies. Maybe occasionally somebody from a higher grade would tease somebody younger, but never for long let alone repeatedly. Beating somebody up would have been a great crime worthy of grave penalties in our eyes, and we would have stopped it and then have ratted out whoever it was in a heartbeat. If somebody tried to bully somebody beyond what we considered acceptable teasing or be aggessive to somebody, the class mates would protect whoever it was, even the social awkward kid. This only happened once in my peer group with a dude who had freshly transferred from another school (moved cities IIRC) trying to be the "cool" guy picking on an awkward kid, starting to slap him. He quickly learned that if you want to bully or fight one of us, you will fight all of us. Forming a crowd around him telling him to leave his victim alone, fuck off and never try it again with anybody was enough. A few years later we were buddies with him.

There were some students who gave teachers a somewhat hard time, but mostly "class jokers" who probably suffered from ADHD. I only ever had one class mate who posed such a problem the teachers could not handle her within our school. She was then sent off to a special care place specializing in teens with her kinds of problems, not as a punishment or some bullshit "zero tolerance" policy but to help her.

This is of course just my personal experience in the two schools I personally visited, but it makes me genuinely wonder how the dynamics in a school can change and deteriorate to a point where constant bullying and even beat ups are tolerated and common (whether it be due to obliviousness or fear). But I know it happens, and happens a lot.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact