Simon Willison's Weblog: encryption

Quoting Marcus Hutchins

2024-12-20T04:57:04+00:00

50% of cybersecurity is endlessly explaining that consumer VPNs don’t address any real cybersecurity issues. They are basically only useful for bypassing geofences and making money telling people they need to buy a VPN.

Man-in-the-middle attacks on Public WiFi networks haven't been a realistic threat in a decade. Almost all websites use encryption by default, and anything of value uses HSTS to prevent attackers from downgrading / disabling encryption. It's a non issue.

— Marcus Hutchins

Tags: encryption, https, security, vpn

EpicEnv

2024-08-03T00:31:33+00:00

EpicEnv

Dan Goodman's tool for managing shared secrets via a Git repository. This uses a really neat trick: you can run epicenv invite githubuser and the tool will retrieve that user's public key from github.com/{username}.keys (here's mine) and use that to encrypt the secrets such that the user can decrypt them with their private key.

Via lobste.rs

Tags: encryption, git

Encryption At Rest: Whose Threat Model Is It Anyway?

2024-06-04T13:17:34+00:00

Encryption At Rest: Whose Threat Model Is It Anyway?

Security engineer Scott Arciszewski talks through the challenges of building a useful encryption-at-rest system for hosted software. Encryption at rest on a hard drive protects against physical access to the powered-down disk and little else. To implement encryption at rest in a multi-tenant SaaS system - such that even individuals with insider access (like access to the underlying database) are unable to read other user's data, is a whole lot more complicated.

Consider an attacker, Bob, with database access:

Here’s the stupid simple attack that works in far too many cases: Bob copies Alice’s encrypted data, and overwrites his records in the database, then accesses the insurance provider’s web app [using his own account].

The fix for this is to "use the AAD mechanism (part of the standard AEAD interface) to bind a ciphertext to its context." Python's cryptography package covers Authenticated Encryption with Associated Data as part of its "hazardous materials" advanced modules.

Via Hacker News

Tags: cryptography, encryption, python, security

Shamir Secret Sharing

2023-08-11T15:48:55+00:00

Shamir Secret Sharing

Cracking war story from Max Levchin about the early years of PayPal, in which he introduces an implementation of Shamir Secret Sharing to encrypt their master payment credential table... and then finds that the 3-of-8 passwords needed to decrypt it and bring the site back online don’t appear to work.

Via Hacker News

Tags: encryption, ops, paypal

See this page fetch itself, byte by byte, over TLS

2023-05-10T13:58:36+00:00

See this page fetch itself, byte by byte, over TLS

George MacKerron built a TLS 1.3 library in TypeScript and used it to construct this amazing educational demo, which performs a full HTTPS request for its own source code over a WebSocket and displays an annotated byte-by-byte representation of the entire exchange. This is the most useful illustration of how HTTPS actually works that I’ve ever seen.

Via Julia Evans

Tags: encryption, http, https, tls, websockets, explorables

Building a stateless API proxy

2019-05-30T04:28:55+00:00

Building a stateless API proxy

This is a really clever idea. The GitHub API is infuriatingly coarsely grained with its permissions: you often end up having to create a token with way more permissions than you actually need for your project. Thea Flowers proposes running your own proxy in front of their API that adds more finely grained permissions, based on custom encrypted proxy API tokens that use JWT to encode the original API key along with the permissions you want to grant to that particular token (as a list of regular expressions matching paths on the underlying API).

Via @theavalkyrie

Tags: apis, encryption, github, proxies, security, jwt

China Demonstrates Quantum Encryption By Hosting a Video Call

2017-10-08T02:49:58+00:00

China Demonstrates Quantum Encryption By Hosting a Video Call

This reads like pure science fiction:

Pan’s team first established a connection and generated a secure key between a ground station in Xinglong and the Micius satellite as it passed overhead, orbiting about 500 kilometers above Earth. [...]

Next, the Chinese team waited for Micius to pass over Vienna, where their collaborators at the Austria Academy of Sciences were waiting to also receive the key from the satellite. Then, with the keys in hand, the groups initiated a video conference and used those keys to encrypt the video data through a standard VPN protocol.

Tags: encryption, quantum-computing

Insurgents Hack U.S. Drones

2009-12-17T07:36:07+00:00

Insurgents Hack U.S. Drones

The video feed rather than the control protocol, but still.... “Fixing the security gap would have caused delays, according to current and former military officials. It would have added to the Predator’s price. Some officials worried that adding encryption would make it harder to quickly share time-sensitive data within the U.S. military, and with allies.”

Tags: drones, encryption, military, security

Keyczar

2008-08-13T13:20:59+00:00

Keyczar

New open source cryptography toolkit from Google, designed to get algorithm selection, key rotation and versioning right so you don’t have to. Java and Python versions are available; the Python version depends on PyCrypto.

Via Ben Laurie

Tags: ben-laurie, encryption, google, java, keyczar, keyrotation, pycrypto, python