Remix.run Logo
adirelle 3 days ago

> the entity you want protection against is generally not the software provider but a third party.

This. The author is dismissing the whole web-based cryptography, or any end-to-end cryptography for that matter, on the basis of a one-dimension analysis.

upofadown 3 days ago | parent | next [-]

But claiming that your system is end to end encrypted means that you are claiming protection from you and your system. This is mainly a truth in advertising issue.

stymaar 3 days ago | parent [-]

> means that you are claiming protection from you and your system.

Not necessarily. I push for e2ee everywhere I can for a completely different reason: when (not “if”, “when“) we get breached, we cannot leak sensitive data we don't have.

tarpitt 3 days ago | parent [-]

The problem is that your system can be changed at any time such that you can have the information.

stymaar 3 days ago | parent [-]

Only if you manage to deploy malicious code and have it stay there undetected. But in practice this is much harder than having access to a DB or a backup for a few minutes (that's all it takes to leak data).

(Just as an example, at my current employer, out of 8 people in the company, there are 8 people who have credentials that permit at least some db access in one way or the other (anyone that has at least one of this job: customer support, account managers, data scientists, devs). There are only 3 people who can push changes to production, and you need 2 out of 3 to do so, and all of three get paged when a release happen. Of course it's not infallible, but the probability of the app being corrupted is orders of magnitude lower than the DB being breached, by the mere scale of the number of people who have access to these things. And again, you only need transient access to the data to leak it, when you need persistent access to do damage by corrupting the code. Most companies I worked for had an even worse ratio between people having access to some sensitive data and people having the ability to push corrupted code in production).

sscaryterry 3 days ago | parent | prev [-]

The article is nothing but a rant.

earth-tattoo 3 days ago | parent | next [-]

Craigslist used to have a Rants & Raves section for exactly these kind of things. I think they still have, but in old times it used to be so happening! Maybe hacker news needs to have one.

tarpitt 3 days ago | parent | prev [-]

Your comment is merely a comment and not an argument