undefined | Better HN

0 pointsmikekchar7y ago0 comments

I don't think your question is as easy to answer as you might be implying. I certainly don't know the answer. My main concern is: what is the downside to "pretty good e2e"? Without understanding what that means, we can't evaluate the situation.

"Good" is better than "best" if "best" is not available seems obvious, but it certainly isn't true in a lot of cases. If I tell you that X secure and you trust it to be secure, when it actually has problems -- that might be worse than me telling you that X is not secure.

People are bad at evaluating risk. If I want to pass notes in class and don't want my teacher to know what the note says if I get caught, then rot-13 is probably "good enough". But if I'm a whistle-blower for a government agency, my security needs are quite a bit higher. We can never make a perfect app, but I'm not sure I could define what "good enough" looks like for the general populous. It's completely reasonable to me that different groups have different opinions on the matter -- and I think that's a good thing.

0 comments

1 comments · 1 top-level

godelski7y ago

> If I tell you that X secure and ...

Is Signal or WA in that regime? Literally the only reason I don't use WA is because it is owned by FB. But as far as I'm aware both are cryptographically secure. Yes, I'm aware WA has a metadata problem.

So what's good enough? I'd say that if you need a state actor to crack it, I'll call it good enough. At least for the general populous. Any more difficulty that can be made is a bonus imo.

Clearly we can't get a perfect e2e app. So at what point in time do we say "we also need other features that people want so that they'll use our app". That doesn't mean "stop working on encryption" (you can never stop that) but "we're at a good enough point to start targeting a larger market." I think something like Signal is there. Stop focusing on the security geeks and bring in the general public.