• 0 Posts
  • 9 Comments
Joined 1 year ago
cake
Cake day: July 6th, 2023

help-circle

  • Quantum computers are nowhere near usable for breaking classical cryptography at the moment, though opinions on how soon it will come vary. As others have said, we have quantum resistant algorithms ready to go, so future encryption is fine.

    The greater concern is that a lot of traffic and data encrypted using classical algorithms has been logged or stored in various mediums. An old encrypted drive, or communications stored by nation state actors (the NSA and such). These will be broken, and a lot of past secrets might come out from hiding.





  • Agree with the points on PGP and other features. I almost made a lengthier reply mentioning the signing issues, which seems appropriate now. It would not be easy, but a successful implementation would definitely need clients to automatically detect and verify signed content, due to the human issues you mention. A problem is obtaining public keys from a trusted source. Maybe it could be attached to profile information with a 2FA requirement to modify it. Just an idea. In this way, verification is not dependent on the user to perform.



  • PGP private keys are harder to steal than JWTs, as they are not generally stored as a long-term cookie but briefly just to sign something. Through XSS (the vulnerability in this case), cookies are relatively easy to steal, but to steal a PGP key would require a more complex script able to steal the key at the time it is loaded in the browser (assuming the signing feature is implemented in the browser). It’s a bit more sophisticated, but not totally bulletproof.