Hacker News new | ask | show | jobs
by hamandcheese 331 days ago
> You can avoid it simply by not encrypting stuff at all, which is an indication of how little it has to do with security.

The consequences of encrypting wrongly quite possibly are worse than if you never encrypted at all.
2 comments
Spooky23 331 days ago
Remember when HN was losing its collective mind over Dual_EC_DRBG? That was delivered to customers with a FIPS validated software stack.
link
hamandcheese 331 days ago
Both of these things can be true at the same time:

- "Don't use unproven cryptography" is a reasonable policy.

- Policymaking can be subverted by bad actors.

link
Spooky23 331 days ago
Yes, but neither of those things have anything to do with FIPS 140-3.

FIPS validation address the compliance problem of needing validation. Beyond that, the benefits are ambiguous at best.

link
tptacek 331 days ago
Good thing FIPS 140 does virtually nothing to prevent cryptographic vulnerabilities, then.
link