[robonerd]

> You have to trust a whole lot of companies to get onto and use the Internet.

Obviously, I wouldn't dream of asserting otherwise. My point is that for the vast majority of the population, a paragraph of technogibberish about cryptography doesn't fundamentally change anything, you're still reliant on trust. To most people, that paragraph is worth about as much as a basic promise. The worth of that statement is derived from whatever trust is had in the corporation and the ability of academics and regulators to stay on the ball and keep corporations in check.

If somebody who isn't a cryptographer has decided not to trust Cloudflare and not to trust the rest of society to keep a company like Cloudflare in check, then that whole explanation isn't worth much. It's boils down to saying "Just trust me" in response to somebody who just said "I don't trust you."

[Semaphor]

I searched around a bit, and the only thing I found was the EFF not complaining about it when mentioning it while talking about something else [0]:

> This proposal is based on Privacy Pass, a privacy-preserving and frustration-reducing alternative to CAPTCHAs.

So I guess that’s good-ish?

[0]: https://www.eff.org/tr/deeplinks/2019/08/dont-play-googles-p...

[robonerd]

It's worth a bit, but it doesn't assuage all my concerns. Even with trust in the EFF to be both well informed and earnest, I think there is still reason for doubt. I've read it claimed many times that cryptography is easy to fuck up in subtle ways, and that these fuckups can go unnoticed for years. Furthermore, subtle flaws can be deliberately engineered into cryptographic schemes and probably concealed from notice for many years. The more novel a cryptographic scheme seems, the more reason there is to doubt that it's been inspected and verified from all angles. I've never heard of VOPRFs before today, they don't seem to have a wikipedia page and the articles I've found about them with a web search are all very recent.

Furthermore, there is the matter of Cloudflare itself, specifically it's size and scope. Concentrations of data are magnets for intelligence agencies. The more data a company has access to, the less I trust them to keep it safe.

[mynameisvlad]

That extends to pointing out that trust is required. When it's the default state of things, what use is pointing it out going to bring?

I made an obvious point because it's strange to bring up that something on the internet requires trust. Because of course it does.

[Dylan16807]

It's the difference between trusting some math that's used by a hundred million sites versus trusting math that one particular company claims is safe.

It's not strange at all to distinguish between those kinds of trust.

When I use TLS 1.3, I'm not relying on "trust us" from the inventor and a couple investigators, I'm relying on heavy worldwide scrutiny.

[robonerd]

> When it's the default state of things, what use is pointing it out going to bring?

I believe that appeals to math can obscure the role of trust. This is demonstrated by the formation of an industry of scammers exploiting the phenomena. Millions of people don't understand cryptocurrencies but buy in anyway, confidence bolstered by their lionization (but not comprehension) of math.

I think it's an illusion worth drawing attention to.