[chvid]

Yes. The Chinese government likely have "front door" access rather than having to rely on capturing network traffic and exploit some hidden weakness in a protocol.

But why are Chinese companies making their own security protocol / libraries rather adopting "cryptographic best practices"? Do they actually think that common crypto libraries are flawed? Or is this a part of China's deep tech / self-sufficient efforts?

[ganyu]

Most of those devs back in 2011 were rookies, and many still are now. It would've been lucky enough for them to have even heard of the word 'asymmetric encryption'. And you can still find many public APIs in the WeChat docs (in 2022) that uses hand-written AES stuff that, unfortunately, uses ECB.

Back in those days where the CN internet infrastructure as we see today was laid down, devs and PMs literally didn't know for sure what were they doing, but they still worked overnight because it the new features must be shipped before next weekend.

And since the services worked pretty well until today it's kinda better to keep the s__tpile there and don't change it. Also there's a lot of unmaintained 'PWA's in the wild that relies on legacy APIs that you dare not to break.

[chvid]

So they are just stupid, overworked and stuck with their own spaghetti?

[ganyu]

i'd prefer the term 'less experienced' but yes.

[heinternets]

China have their own crypto standard OSCCA, which uses the SM4 cipher, SM3 hash function etc instead of using the AES, ECDH, RSA algorithms everyone else does. The OSCCA standard are only approved for use in China.

[randomNumber7]

Probably they think more control is still better.