Hacker News new | ask | show | jobs
by joshuamorton 1341 days ago
Be precise: what threat is added here that is added by a third party holding encrypted keys?

Like this isn't particularly different from me backing up my (encrypted) disk which contains my (further encrypted) keys to the cloud somewhere.
2 comments
politelemon 1341 days ago
In the second instance, you are controlling the where and how of your keys being backed up. If you are smart you will have backed up your keys to multiple locations, for disaster recovery. One of the fundamentals of privacy is having control of your data, which the first option does not provide.
link
joshuamorton 1341 days ago
Why not?

What is concerning about giving encrypted keys to someone? If I give my encrypted key to you, right now, I retain control of my data. One of the fundamentals of encryption is that you can freely share the ciphertext without giving up control of your data.

link
jrm4 1341 days ago
I don't know, and you don't either, because I'm willing to bet that "Google" is smarter than both of us.

That's kind of the point. We have to trust that Google won't mess things up and we have essentially no recourse if they do.

link
joshuamorton 1341 days ago
I'm unclear on what you think they could do. Is your idea here that Google is so smart that they can break end to end encryption? If so, we've got bigger problems.

It isn't fair to presume that everyone shares your lack of knowlege on a subject, and it's simply incorrect to presume that because you don't understand something that it cannot be safe or reliable.

link
jrm4 1341 days ago
What they say today about end-to-end encryption seems like it should work fine from a technical point of view. It is entirely possible the Google is very good about this, and when implemented, it might work perfectly as stated today.

But I'm not talking about incorrect or correct and I don't care about fairness in presuming whoever's intelligence either, because the thing I'm talking about is more important, which is risk.

Large companies taking on big tasks that you don't pay them for is undeniably risky for many reasons. One, they screw it up today. Two, they don't screw it up today but they change it tomorrow. We know this because many of these companies have done things like this before.

link
joshuamorton 1341 days ago
But again, what is the unique risk here? Google shutters and your phone bricks simultaneously, and you're left unable to log in?

Like this is lower risk than a local password manager or a yubikey or... Because it's both local and cloud backup. Be precise, what is the risk?

link