I like the idea of NaCl, but IMO it doesn't go far enough. What about a function like encrypt_symmetric_for_single_user(payload, userid, key) which takes care of picking the right algorithm, doing the right dance with keys and nonces and whatnot? Or maybe functions need to include naming like encrypt_for_sending_once and encrypt_for_storing_long? My understanding is that you want different crypto in such cases, right? I'm sure better cryptographers than me can immediately see what I'm doing wrong here, but you catch the gist right? Why can't this be made easier? Why do we at the same time, collectively, shame everyone who gets security wrong and make it so unnecessarily hard for people to get right? I mean, I don't even know what the different considerations are so I can't design these functions right, so please consider the spirit of the following proposal and not the details. Please make it easy for morons like me to use crypto right. Job safety is nice, but a secure internet is nicer. Cryptographers, please get your act together. We need similar APIs for symmetric and asymmetric encryption, for common use cases, or this madness is simply going to continue. These implement all the best practices, with seeds, the right algorithm parameters, keeping the ability to rehash in the future, etc. Eg PHP doesn't just expose a way to call bcrypt, but also has two functions password_hash and password_hash_verify. Some languages and libraries get it right, here and there. This is shit design and we can blame the cryptographers. The programmer will be none the wiser except if they were lucky enough to post the code somewhere on HN and someone writes a condescending comment. Or else what? Or else the function works perfectly well, produces an encrypted byte array, but with totally broken security. Most standard crypto modules have calls of the formĭepending on the algorithm chosen totally different parameters need to be passed or else. The reason this code is insecure is that the API is a piece of shit. The AES algorithm being invoked, I expect, was written by proper cryptographers. The code quoted does not implement encryption, it invokes encryption. You suggest we hire a cryptographer every time we need something secured? How do I receive form submissions if my website is little more than a few HTML / CSS files with no backend framework? If you don't want to learn backend right now you could use serverless services such as supabase or firebase.> Implementation is best left to cryptographers.It not only simplifies all my queries but also. In addition, Supabase’s RLS (row level security) is a next level supapower that you just can’t live without after you use it. NoSQL approaches have their place but they also scare me a bit. I like Firebase too, but I like the idea of a defined schema for a project like Cartta. Building In Public: Cartta Tech Stack Supabase, is a Firebase alternative built on top of Postgres which is extremely powerful.Failed to resolve: :firebase-core:9.0.0 I followed the steps mentioned on the Firebase documentation, in the section Add Firebase to your Android Project, topic Available libraries.Google Pay with Firebase extension and Adyen Firebase is a “backend as a service” platform that enables developers to create web and mobile applications without worrying about configuring and managing backend databases or storage, but instead plugging in each service via its own dedicated APIs.Remote reboot script for Windows using Python and Firebase free tier Go to Firebase and create a new project, name it whatever you want.
0 Comments
Leave a Reply. |