Hacker News new | ask | show | jobs
by misterbowfinger 3192 days ago
This is going to sound like a dumb question, but.... how much would encryption help? Even if we encrypted all of our data at rest and on the wire, I feel like a lot of security vulnerabilities wouldn't have been prevented with encryption. If you have any way of interacting with the application or the database, it's basically game over, no? Is there any data on this?
1 comments
egwynn 3192 days ago
I’m not sure what threat model you’re proposing. If an attacker has control of your computer or the keybase app, then yes, it’s game over. But encryption removes the hosting entity as what would otherwise be a single point of failure. If you hack keybase the organization, you don’t immediately get access to everyone’s everything (in contrast with Equifax). An attacker would need to infiltrate the codebase and then release a malicious version to everyone that makes their apps decrypt/reroute/whatever the data.
link
misterbowfinger 3192 days ago
I suppose I'd like to see what threat models actually apply to companies, and what vectors are most often used to get pwned (outside of social engineering). I understand what encryption prevents, but I don't understand how helpful it is in practice.
link