I can't help but make the comparison with cryptographic network protocols, where... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		gnfargbl 9 months ago \| parent \| context \| favorite \| on: New Linux udisks flaw lets attackers get root on m... I can't help but make the comparison with cryptographic network protocols, where the industry started with a kitchen-sink approach (e.g. pluggable cipher suites in TLS) and ended up moving towards fixed primitives (e.g. Wireguard mostly uses DJB-originated techniques, take them or leave them). The general lesson from that seems to be that a simpler, well-understood, well-tested and mostly static attack surface is better than a more complex, more fully-featured and more dynamic attack surface. I wonder whether we'll see a trend towards even more boring Linux distributions which focus on consistency over modernity. I wouldn't complain if we did.

8fingerlouie 9 months ago [–]

The main strength of WireGuard is that it’s simple. It’s like 10% of the code size of IPSEC.

Less code means less possibility for bugs, and is easier to audit.

In my book, WireGuard perfectly follows the UNIX philosophy of making a simple tool that does exactly one thing and does it well.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact