[tptacek]

Tangent, but: giant NSA data centers are such a red herring. The inevitable outcome is one of two things:

1. We've been missing something fundamental about computer science for many decades and all the encryption we use everywhere is going to be broken.

2. Everything is going to be unbreakably encrypted by default and no data center any country can build will ever so much as recover a single emoji from a single IM.

Again: don't think about the status quo; think about 15-20 years from now.

[schoen]

Trying to brainstorm random scenarios about what could make there be a future "3.", "4.", etc...

3. "Enabling" (some kind of sabotage, infiltration, or collaboration) means a lot of things with a theoretically sound design are broken or backdoored in a way that is somehow hard to notice.

4. End-to-end encryption has a lot of UI inconveniences around key management, so it will only used for a small minority of communications.

5. The "Going Bright" paper's world in which it continues to be easy for governments to hack people. (However, the connection to the data centers isn't very obvious -- maybe for archiving stuff that was transferred with a non-forward-secret protocol, but why will things be transferred with such protocols?)

6. The fear about quantum computers is justified because they only cost about a billion dollars to reduce to practice at a level that can attack deployed systems. For some reason, the transition to post-quantum crypto is especially slow, difficult, or error-prone.

7. Crypto developers continue not to do Cryptopals and, for decades, continue to make frequent implementation mistakes that allow passive adversaries to defeat their systems.

8. There's going to continue to be an easy covert way to get in proximity of servers and read their session keys, but that way doesn't allow covert exfiltration of plaintexts from the servers so attackers need to record the ciphertext elsewhere.

9. The data centers are for recording metadata events, which are expected to become incredibly voluminous.

10. The Internet of Things industry still accepts second-class cryptographic mechanisms supposedly because of technical limitations of their devices, so uses smaller keylengths, no PFS, inadequate RNG, obsolete or custom ciphers...

11. People still use GSM phones with Kᵢ physically generated by their carrier as a basis for confidentiality of a portion of their communications, and it's still possible to attack the carriers' generation and distribution of these keys.

[tptacek]

These are all interesting points but I think they're not going to matter much. I think that whatever device most people carry around to communicate with in 2030 will be unbreakably encrypted by default, even against attackers so advanced that their quantum computers are handheld.

Forget about what random developers do with crypto. I agree: generalist developers will probably never get reliable crypto right. But they won't have to, just like they don't write their own TCP congestion control algorithms. Every programming environment available will provide unbreakable crypto by default without asking. You'll have to go out of your way not to have it; it'll be like raw sockets, where the environment sort of looks at you weird for even asking.

There are UX issues with strong crypto, but:

1. They're getting sorted out quickly.

2. They tend not to apply to the simplest and most common cases, which are actually the ones that matter most to public policy.

[simplemath]

NSA data internment is not a red herring, its one of the raisin darts [sic] for crippling encrypton - the goal is to keep everything forever and mine it later. strong encryption presumably breaks that use model (save quantum computing and the miniscule possibility that p v np is somehow solved ).

In the coin you've presented, certainly [1.] is the option we should all be expecting, sadly.

Option 2 sounds damn near utopian. I'll continue, as i mentioned before, to daydream about that one.

[tptacek]

Option (2) is what's going to happen. It's not utopia; it's a mortal lock.

[maxerickson]

Is it supposed to say unbreakably encrypted?

[tptacek]

thx

[simplemath]

I admire your optimism.

[newman314]

raison d'être FYI =)

I looked only because I was trying to remember myself how to spell it.