1. 25

  2. [Comment removed by author]

    1. 5

      I think that rule applies much in the same way as “do not develop your own pharmaceuticals”, unless of course you are a qualified biochemist.

      This library has a key feature not found in OpenSSL. It tries to make it hard to use incorrectly and in an unsafe manner.

      This makes it far from dangerous, it makes it commendable. IIRC NaCl tries to accomplish a similar task.

      1. 1

        unless of course you are a qualified biochemist.

        Qualified means somebody said you are good.

        Which may or may not mean you are actually good.

        1. 1

          In computing, sure, people who call themselves ‘engineers’ rarely have anything close to an actual displine and the process of lessons learnt, instead they put their energy into preaching about Rust and TDD, or whatever is the thing this month on the Intertubes.

          Otherwise, ‘engineer’ in the serious sense means people who are qualified to build bridges, buildings, aeroplanes and write software for satellites.

      2. 5

        That is very much talking about both implementations and designing your own cipher suites. There is not a single home grown cipher suites here and the team is the one behind Project Wycheproof. Literally professional cryptographers.

        1. 3

          I suspect this is either trolling or a poor attempt at humor; these people are security professionals and cryptographers that not only used stock existing primitives (where most of the problems occur), they also wrote a huge set of tests including a whole other test project…

          The real “problem” (if you could call it that) is that they basically rewrote libsodium in Java and left out the next gen bits (for the time being). But it’s also Google, so they get to do that kind of thing.

          1. 1

            Conventional wisdom is sometimes there to keep idiots safe and is the wrong path if you want above average results.