zlacker

>>qqqqqu+(OP)
Crypto and practical security. I get tired of the circular “don’t roll your own crypto unless you’re qualified”. How does one become qualified? I don’t feel like I know how to evaluate many of the arguments people make for or against technologies people argue about on HN, such as Signal or different password managers. I feel like “security through obscurity” is a bad thing, and “layers of security” are a good thing, but isn’t all security obscuring something, and how does one evaluate whether a layer is adequate? “Just use bcrypt” - okay, help me understand!

>>memset+tD
Also, what makes me irritated about this blurt is that there are many "layers" of what people could reasonably call "crypto". There are the cryptographic primitives. There are higher-level crypto algorithms and functions that use those primitives. There are even higher-level cryptographic protocols, file formats etc. Then there's actually the application, applying crypto to a real-world problem.

Even in each of those, there are two "levels" of implementation: specifying an exact algorithm that implements a solution to problem x, and actually producing the code that implements the algorithm.

At some level, there is no ready-made solution to every problem. Even if the foundations are implemented by "somebody else", the line's blurry. At which level of (lack of) expertise and which level of "lowness" of the implementation should I start to worry?