re: How Companies Prey On Your Ignorance of Tech and Your Fear of Hackers VIEW POST

re: Because I am a reflexive contrarian to any absolute statement, wouldn't Open Whisper Systems / Signal be a good exception to this rule? Or do they ...

The algorithms are already there, and they are free.
There are very good frameworks out there, like OAuth, OpenSaml and JOSE where you can easily implement security yourself.

The problem today is not the algorithm or the framework, but the security model. Storing secrets (keys, passwords) are the hard part we developers have to do today. Making sure only authorized users can access data, and only their data is the hard part.

The security model you implement cost money, to get valid CA certificates cost money, maintainance cost money. For instance, the most advanced HSM-servers is a piece of hardware, very expensive, where you can only enter CA-certificates on-site. No Internet. And if tampered with physically to retrieve keys, it will destroy itself.

I don't know much about Open Whisper, but I can see that they use Signal - which is free. Also, it is not a couple of developer's creating an algorithm for a project, more like a team of security experts.
Open Whisper itself is a service that uses Signal, I don't see a problem making services yourself.

Though, if anybody out there is interested in security and algorithms, try make one yourself by all means. It is a very good exercise. Compare it with what the experts have done and see how insufficient it is ;)

Whops... way longer than I planned.. hope it was not too booring :)

code of conduct - report abuse