"So, there you have it. It is tinfoil-hattedness to raise these concerns. The one area in computer science where tinfoil-hattedness is of absolutely importance is cryptography; and the maintainer of the only Haskell entropy package dismisses these very valid concerns as tinfoil-hattedness." (Medium)

Very good read, especially since I want to discuss crypto later!

I guess I should figure out what crypto I'm using in Rhapsode, when I dug into my transitive dependencies there seemed to be a few different options pulled in by http-client-tls.


"So, in other words, when you use AESNI it will leave the decryption key sitting around in memory." This will very quickly drive you insane. How sure are you that you have actually cleared out the key? Did your deletion code get optimized out? Is there a copy in swap? Is there a copy in cache? I was mad when I realized Android didn't implement the destroyable interface for keys in Java, but when I sat down and thought about what that would require, I stopped caring.

"The fact that this is a home-grown implementation of AES, instead of a wrapper around a known secure, peer-reviewed implementation of AES, makes me very wary." But with the Haskell library I don't have to worry about heartbleeds.
Sign in to participate in the conversation

For people who care about, support, or build Free, Libre, and Open Source Software (FLOSS).