Readit Newsdoomrobo commented on Show HN: PinSend – Share text between devices using a PIN(P2P, no login) pinsend.app... · Posted by u/avovsya
The pin would just be for coordination, not encryption.
Ah ok. How is the encryption key, if there is one, established then?
doomrobo commented on Show HN: PinSend – Share text between devices using a PIN(P2P, no login) pinsend.app... · Posted by u/avovsya
What do you mean by transcript? If you mean the messages that were shared - the answer is no, server sees no messages at all as message exchange is peer to peer via WebRTC. As soon as session is over(eg. When all clients disconnect) - message history is lost for good. Brute force attacks are theoretically possible for sessions in progress(though hard due to alphanumeric 6 character PIN and server throttling), so I'll introduce "safe session" as suggested by some of the commenter by introducing "waiting rooms" so the newly connected clients have to be approved. I'd definitely leave the current workflow as is as its frictionless and works for some of my usecases(quick link or log sharing, etc)
There are middle boxes between the two peers, yes? Routers and such. They observe the encrypted messages. They can brute force the password, even after the session is over.
Even if you assume the PIN is uniformly random (you should not assume this), it is only log2((10+26)^6) ~ 31 bits of entropy. This does not satisfy standard notions of secure channel establishment.
doomrobo commented on Show HN: PinSend – Share text between devices using a PIN(P2P, no login) pinsend.app... · Posted by u/avovsya
If the server stores the transcript of a session, can it brute force the PIN later on?
Magic Wormhole (https://github.com/magic-wormhole/magic-wormhole) avoids this by using a password authenticated key exchange (PAKE) protocol. If you don’t use a PAKE, you get trivial brute force attacks from anyone with a transcript.
FedNow is cool but it has nothing to do with B2C payments. Think: wires, but cheaper. Or ACH, but faster. Do you frequently pay for goods or services with wires or literal ACH transfers? (No.)
In Europe, this is not uncommon for online purchases. You put in your IBAN number and authorize the transaction
Link should be https://status.gitlab.com/
doomrobo commented on RFC 9180: Hybrid Public Key Encryption (2022) rfc-editor.org/rfc/rfc918... · Posted by u/teleforce
The introduction says that HPKE is different from the “traditional combination” of “encrypt the symmetric key with the public key”, but it doesn’t explain why it’s better. Does anyone know?
It’s not actually much different. The main reason to use this is because it’s the standardized version of that concept and has been analyzed by people. All the smaller cryptographic detailed like domain separation, proper key derivation, weak key rejection etc. have been worked out for you. So it’s a plug and play solution that previously didn’t exist.
There we go again. We should expect to see more of these things. Many closely related animals confined in a small space, with humans around, is not a good recipe.
"Given the presence of bird flu on the premises, all 1.8 million birds need to be culled, aka "depopulated." "
Can you picture 1.8 million birds? Now picture them all being gassed. Now, I'm not vegan but that's grim.
"Workers are tasked with placing the birds in the chambers, which only hold a few dozen birds at a time. In all, the method requires workers to have a high degree of contact with the infected birds, going from bird to bird and batch to batch with the carts."
What a great idea.
What’s grim? 9.4 billion chickens are killed every year in the US. That’s 25.7 million a day
https://www.nationalchickencouncil.org/statistic/broiler-ind...
When talking about cryptography, its always important to think about what you are keeping secret and who are you keeping it secret from.
Afaict identity based cryptography requires a trusted third party. If you already have a trusted third party, might as well skip all this complexity and just communicate through them.
After all communicating through twitter DMs is pretty secure & convinent, if you take it as a given that twitter is trutworthy.
IBE allows two users to communicate without the trusted party being online