My favorite crypto feature is limited cracking attempts. Socialist millionaire, PAKE, Secure Enclave, YubiKeys, this http://blog.cryptographyengineering.com/2016/08/is-apples-cloud-key-vault-crypto.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+AFewThoughtsOnCryptographicEngineering+(A+Few+Thoughts+on+Cryptographic+Engineering)&m=1 …
A HSM owned & physically possessed by someone other than yourself is basically security theater.
-
-
can you please describe how they could have possibly made the service more secure?
-
I don't think they really could.
-
My complaint is not that it should be more secure, just that it shouldn't be advertised as secure.
-
because of a theoretical vulnerability that might possibly exist in their HSMs?
-
No, because with physical access & a big enough budget you can always extract keys from a HSM.
-
mh, real world users don’t have strong passwords, or targeted nation state adversaries. Security is relative.
End of conversation
New conversation -
-
-
the problem they are solving for is when people lose their own HSMs. If you don't like exposure, don't opt in.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.