Conversation

Notices

1. Embed this notice
   Soatok Dreamseeker (soatok@furry.engineer)'s status on Thursday, 26-Feb-2026 07:01:57 JST Soatok Dreamseeker

   Cryptography engineering has an intrinsic duty of care.

   http://soatok.blog/2026/02/25/cryptography-engineering-has-an-intrinsic-duty-of-care/

   • Embed this notice
     Mark T. Tomczak (mark@mastodon.fixermark.com)'s status on Thursday, 26-Feb-2026 07:10:48 JST Mark T. Tomczak

     in reply to

     @soatok I'm curious your thoughts on usability in the space. You've shared some of them, but I tripped over something this week and I thought you might be interested.

     I tried adding scope to an API token I had Atlassian generate for me, and the scoped token wouldn't work. I bashed my head against the problem for awhile: peeled apart the library I was using to find the actual URLs it was hitting, confirmed the scopes I'd assigned should match that URL, confirmed an unscoped token worked... It finally turned out that the issue was if you're using a scoped token, you have to hit an entirely different hostname and top-level path in the URL; they have a slightly different API for the requests with scoped tokens.

     At that point I gave up and used an unscoped one because nobody in IT was forcing me to use scoped, I just liked the idea that my token intended to read JIRA tickets couldn't also delete them, but I don't care enough to rewrite my API library.

     How do we balance security and usability? Is there even a rule of thumb?

     (Also, if you ever hear what the first twelve characters in an Atlassian API token mean, I'd love to find out. I had to generate five tokens while testing this problem, and they all started with the same twelve characters... My guess is it's a customer-identifier specific to my company, but I haven't had time to pin down a coworker long enough to have them generate a token to compare with).

   • Embed this notice
     Soatok Dreamseeker (soatok@furry.engineer)'s status on Thursday, 26-Feb-2026 07:10:48 JST Soatok Dreamseeker

     in reply to

     • Mark T. Tomczak

     @mark Actually, Avi Douglen said this better than I could:

     https://security.stackexchange.com/a/6116

   • Embed this notice
     David Chisnall (*Now with 50% more sarcasm!*) (david_chisnall@infosec.exchange)'s status on Friday, 27-Feb-2026 05:59:09 JST David Chisnall (*Now with 50% more sarcasm!*)

     in reply to

     @soatok

     Ross Anderson wrote a lot about security usability and used to teach about good API design. His classes included the OpenSSL tri-state return as an example of what not to do (it was very easy for the caller to write a check that put success and unusual failure in the same class).

     I wish people writing crypto APIs would study libsodium, it really is the gold standard for these things.

     I recently had some discussions with the maintainers of the Linux Foundation’s PQC libraries because they have an API that takes a size for the output parameter on one call, but that call has a fixed-sized output. If you specify the wrong size, it doesn’t check it, it just writes past the end of your buffer. And you have to pass a constant there. Unfortunately, this API came from the reference implementation and it’s now hard to change.

     James Morris likes this.