logoalt Hacker News

utopiahtoday at 9:45 AM1 replyview on HN

Like I said I'm confused, genuinely trying to figure the article out.

"A cryptosystem is incoherent if its implementation is distributed by the same entity which it purports to secure against."

What is the cryptosystem then on the Web? Who is the entity? It's not the server or the Website so I don't see what's left except the browser and browser vendor.


Replies

avaertoday at 9:55 AM

There's also a long list of government (or subpeonable) entities on your certificate trust list.

Without which TLS is not gonna work.

The article is arguing that in practice you could just send your "encrypted" communications to the browser vendor, or one of the governments on the certificate root list, or someone else in the distribution chain, and have them be the middle man. The security properties of your communications would be the same. Hence "snake oil".

Things like stapling don't change this much, or reduce to TOFU.