To understand my point, I need to first explain three different cryptography attack papers / blog posts. I promise this won't be boring. Three Little Dislcosures Misuse-Prone Ciphers For All In a blog post titled Carelessness versus craftsmanship in cryptography, cryptography analyst and Queer in Cryptography emcee Opal Wright delves into the misuse-prone and side-channel-riddled…

Soatok is a blog or publication authored by Soatok Dhole, a security researcher and privacy advocate. Readers can explore articles covering topics such as cryptography, privacy-enhancing technologies, and digital rights. Additionally, they can learn about cybersecurity threats, encryption protocols, and strategies for protecting online privacy.

Dhole Moments

Cryptography engineers have a duty of care to their users that many are failing to meet. Three case studies illustrate the problem: insecure AES implementations in aes-js/pyaes with cavalier developer responses, a research paper eviscerating LastPass, Bitwarden, and Dashlane's cryptographic security, and Matrix's dismissive response to disclosed vulnerabilities. The core failure is that most cryptographic software lacks clear threat models, vague security goals, and poor transparency about maturity. A minimum bar is proposed: write obviously secure ('boring') code, state security goals and assumptions explicitly, and be transparent about project maturity. Being open source does not absolve developers of responsibility when their cryptographic code is widely adopted.

Cryptography Engineering Has An Intrinsic Duty of Care