Oddbean new post about | logout
hodlbod | 3 days ago (raw) | root | parent | reply | flag 
 Shared secrets gives you something durable that clients can quietly exfiltrate to spy on users later. Not a good idea IMO, but others disagree
mleku | 3 days ago (raw) | root | parent | reply | flag 
 if they can get at the shared secret they probably can get at the nsec, how far separated are those two things?
mleku | 3 days ago (raw) | root | parent | reply | flag 
 hint: you can't derive the shared secret without the secret. it's one step. one.

security of the nsec and derived secrets is almost unity

the actual data it decrypts, that's your computer it's on, it's not being SENT ANYIWHERE ffs guys, please, get some fucking realism in your threat models

if you can't trust the computer, why you use the computer?

oh yeah, because it isn't a leaky sponge like you are trying to make it out to be, yet somehow it is secure in other ways

no, fuck you. decrypted messages are adjacent to the fucking nsec