Yes, it would be really bad if people messed it up, but calling it a "crank encryption algorithm" is simply wrong and devalues the argument people are making. Do experts think that https://core.telegram.org/techfaq#q-i-39m-a-security-expert-and-i-think-your-protocol-is-not-secur … this contest is a fraud? $300k is pretty good...
I'm gonna keep reading despite your assumption that building web stuff is easy, but we should have another conversation about that ;)
-
-
I'm sad that anything I said made it sound like I thought crypto wasn't very very hard or that it's reasonable to assume a particular new crypto algorithm works.
-
"I know it looks like we're being pedantic or even cliquey, but what's really happening is they've spotted a fatal flaw in the crypto." I don't feel anyone is being cliquey and I interpreted the first round of critiques in exactly this way.
-
I'm finding your post here problematic in much the same way as I was originally bothered by but there's more signal here (no pun intended).
-
"If a 12 year old comes into your IRC channel with their homegrown encryption algorithm, no-one's going to care when you break it, because no one thought it was sound in the first place." This is not a 12 yo. It's one of the most popular chat programs in the world.
-
And given that 1. people were interested in showing flaws in MTProto1, and 2. they cared enough to attempt to fix them in MTProto2, it seems like there's a reason to check MTProto2 and I bet papers would be accepted at conferences.
-
(I also understood the part about there being a large gap between flaw and vuln, also see Spectre)
-
Hey, so like... please don't infer too much about how I think about you precisely from this. You were asleep while I wrote it, I couldn't sound out your views, so it's a more general-audience argument :)
-
Fair enough. I either don't like how you characterized my views or don't think you did such a good job of debunking them :p
End of conversation
New conversation -
-
-
I have far more experience building web stuff than doing security or crypto, btw :P
-
At minimum, building web stuff involves a knowledge of subtle interactions involving security (as well as precisely how finicky crypto can be) ;) I was on the Rails security team for a while and saw this stuff first hand. We were dealing with timing attacks 10 years ago ;)
-
some variant "how cute, he thinks he understands security" would not be the correct response here ;) ;) ;)
-
didn't know you were on the security team, many apologies for the 2/3 of the document that patronised your face off :
-
and yes building web stuff requires understanding security interactions but low-level crypto is on another level of fragility imo, and knowing that isn't usually required to build a website (nor should it be!)
-
I was referring to building web infra like rails not building a website, which should of course lean on existing tools.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
