Soatok DreamseekerDec 3

Re: https://old.reddit.com/r/crypto/comments/1pca3r8/introducing_constanttime_support_for_llvm_to/nrzywmp/?context=2

It is simultaneously true that:

  • Most data breaches do not require any cryptographic wizardry
  • Of the ones that involve cryptography, side-channels (timing, power, etc.) are not an attacker's first choice
  • The inability to have guarantees that the compiler will not make code variable-time as part of an "optimization" is a massive pain point in writing secure implementations of cryptography

And, sure, the LLVM work won't stop app developers from fucking up something on the OWASP Top 10 list for a given year. Nor will it stop phishing from being hella effective against most users and services.

But it does reduce compiler doom and various forms of auditor bikeshedding, which makes applied cryptography work a little easier to get done.

And the best mitigation we have for phishing attacks today is WebAuthn... which uses cryptography. :P

Sometimes, naysaying is actually counterproductive.

Show threadSoatok DreamseekerDec 3

If you're wondering, "Wait, WebAuthn mitigates phishing?" there's a very good explainer about this topic from the same blog that Reddit thread is about:

https://blog.trailofbits.com/2025/05/14/the-cryptography-behind-passkeys/#anti-phishing-protections

The cryptography behind passkeys

This post will examine the cryptography behind passkeys, the guarantees they do or do not give, and interesting cryptographic things you can do with them, such as generating cryptographic keys and storing certificates.

The Trail of Bits Blog
Show threadErik van StratenDec 3

@soatok : UTTER BS.

The picture you copied DOES NOT mitigate AitM's.

The article (https://blog.trailofbits.com/2025/05/14/the-cryptography-behind-passkeys/#anti-phishing-protections) is right b.t.w.

#Passkeys #AitMmadeMuchHarder #CryptographyBS

Show threadvarx/techDec 3
@ErikvanStraten You seem to be confused about Mastodon link previews vs. images.
Show threadErik van StratenDec 3

@varx : if *I* am confused, why not anybody else?

Do as I do, make a screenshot if YOU don't know how Mastodon works.

Show threadvarx/tech
@ErikvanStraten Take a deep breath, stop doubling down, and take a closer look at the post you replied to.
Dec 3 at 9:14pmWeb
Show threadErik van StratenDec 3

@varx : done.

Now what?

Show threadljĀ·rkDec 3
@ErikvanStraten @varx Try again, because it's still you who doesn't comprehend that @soatok didn't post a screenshot. Eh, your name pops up again and again, and by now you've got a reputation for arguing completely beside the point and derailing threads. I think taking a deep breath isn't enough anymore.