Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

the problem is that most or almost every professional programmer goes by the slogan "You shouldn't implement cryptography by yourself, but instead rely on the existing well tested libraries". This is hinders competition in the crypto space. You definitely cannot say that the programmers of openSSL are not professionals, because you know that the majority was relying on their library so it is definitely the best library out there. There is just no better alternative. if you want to have alternatives then you have to encourage amateur crypto programmers to implement competing products. But the whole programming community is doing the opposite by bashing people who start implementing their own crypto. For example If I remember the debate about Telegram where a highly talented team starts their own library the response from programmers is that they shouldn't do this and instead use crappy old libraries which do not even fulfill their requirements.


I don't think the advice not to implement your own crypto stuff ever meant that no one should do it under any circumstances. It means that application programmers should not do it as part of their application. And that, I think, is good advice.

I certainly wouldn't want to see corporate devs at my bank implement some custom "secure" http communications protocol.

What we need is two or three well funded TLS/SSL implementations competing with each other, kind of like we have a handful of competing web browser implementations or C++ compiler implementations or operating systems, all done by experts in their field.


Isn't PolarSSL like that? Maybe pure open source isn't a good fit for critical applications.


What is "pure opensource"? It's hard to imagine a credible closed source implementation in the age of NSA ubiquity.

I don't know PolarSSL. If it's a reasonably complete implementation then maybe it deserves more attention.


> For example If I remember the debate about Telegram where a highly talented team starts their own library the response from programmers is that they shouldn't do this and instead use crappy old libraries which do not even fulfill their requirements.

The problem with Telegram wasn't about code, it was about algorithms and design. They designed their own crypto, which is a really bad thing. If they had written their own implementations of well-known, tested and proven crypto primitives/algorithms, everything would have been fine (well, mostly; you can still implement a good algorithm badly, but that's not what happened).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: