LightNews
cryptopathe.me
Pascal Junod
@cryptopathe.me
800 followers 730 following 150 posts
applied cryptographer - certified nerd god - head of cryptography & research at duokey - founder modulo p - ex-Snap - co-founder ex-strong.codes - has-been professor - trail runner - aidjolat
Posts Media Videos Starter Packs
Reposted by Pascal Junod
matthewdgreen.bsky.social
Matthew Green @matthewdgreen.bsky.social · 2d
This is amazing research by Nadia Heninger and her co-authors Wenyi Morty Zhang, Annie Dai, Keegan Ryan, Dave Levin and Aaron Schulman. TL;DR a huge number of satellite links over our heads are totally unencrypted. satcom.sysnet.ucsd.edu
🛰️ SATCOM Security
Research project homepage for SATCOM Security: papers, source code, and recent satellite communications vulnerabilities.
satcom.sysnet.ucsd.edu
5 66 140
cryptopathe.me
Pascal Junod @cryptopathe.me · 2d
👀 ⬇️
campuscodi.risky.biz
Catalin Cimpanu @campuscodi.risky.biz · 2d
Firefox 144 is out with hardened encryption for locally stored passwords

www.firefox.com/en-US/firefo...
1
Reposted by Pascal Junod
gregoirebarbey.com
Grégoire Barbey @gregoirebarbey.com · 3d
L'intelligence artificielle est-elle l'infrastructure du techno-fascisme? J'ai reçu @nastasiahadjadji.bsky.social et @oliviertesquet.bsky.social, auteurs d'Apocalypse Nerds (Ed. Divergences) pour en parler dans ce nouvel épisode www.letemps.ch/podcasts/ia-...
Podcast – L'intelligence artificielle, infrastructure du techno-fascisme? - Le Temps
Une partie non négligeable des investisseurs et entrepreneurs de la Silicon Valley ne cachent pas leur fascination pour des idées eugénistes, racialistes et anti-démocratiques. IA qu'à m'expliquer reç...
www.letemps.ch
8 14
cryptopathe.me
Pascal Junod @cryptopathe.me · 13d
Looks obvious to me...
ccanonne.github.io
Clément Canonne @ccanonne.github.io · 13d
I... I just don't know what to do
A red button, with a label taped on it that says PLEASE DO NOT PRESS
2
Reposted by Pascal Junod
financialtimes.com
Financial Times @financialtimes.com · 15d
The UK government has issued a new order to Apple to create a backdoor into its cloud storage service, this time targeting only British users’ data on.ft.com/4nonyx0
1 14 16
cryptopathe.me
Pascal Junod @cryptopathe.me · 16d
Everybody knows Levenshtein distance, but only @cosic.bsky.social people know Leuvenshtein distance.
Created by Wouter Leiet, COSIC - KU Leuven / Accelerated on FPGA by Belfort / Leuvenshtein Database Demo / Preprocessing / Encrypting and processing the database
1
cryptopathe.me
Pascal Junod @cryptopathe.me · 17d
googleprojectzero.blogspot.com/2025/09/poin... ⬅️ 😍
Pointer leaks through pointer-keyed data structures
Posted by Jann Horn, Google Project Zero Introduction Some time in 2024, during a Project Zero team discussion, we were talking about how...
googleprojectzero.blogspot.com
Reposted by Pascal Junod
matthewdgreen.bsky.social
Matthew Green @matthewdgreen.bsky.social · 23d
I’m flagging this nice book/paper on FHE schemes not necessarily because it’s correct and I endorse it, but because it looks pretty useful. arxiv.org/pdf/2503.05136
arxiv.org
1 4 27
Reposted by Pascal Junod
quarkslab.bsky.social
Quarkslab @quarkslab.bsky.social · 23d
RTFM they say but if you read the manual and copy code examples from it you may inadvertently introduce vulns in your code 🙀
In April we audited the PHP code. Now we followed up with a review of the code snippets in PHP documentation and found 81 issues 👇
blog.quarkslab.com/security-rev...
Security review of PHP documentation - Quarkslab's blog
The Open Source Technology Improvement Fund, Inc., engaged with Quarkslab to perform a security audit of the code snippets in the English version of PHP documentation, focused on some specific pages.
blog.quarkslab.com
5 7
Reposted by Pascal Junod
durumcrustulum.com
Deirdre Connolly¹ ² @durumcrustulum.com · 28d
a bug in this may have already been found
durumcrustulum.com
Deirdre Connolly¹ ² @durumcrustulum.com · 28d
not again

arxiv.org/pdf/2509.12341
1 2 10
Reposted by Pascal Junod
durumcrustulum.com
Deirdre Connolly¹ ² @durumcrustulum.com · 28d
not again

arxiv.org/pdf/2509.12341
2 4 13
cryptopathe.me
Pascal Junod @cryptopathe.me · 28d
Stopped reading at "[...] the resulting guarantees are only asymptotic. At best, one can state that “the probability that an adversary learns something about the secret message [...] decreases rapidly with increasing key length.”" They seem stuck in the 80's. en.wikipedia.org/wiki/Concret...
Concrete security - Wikipedia
en.wikipedia.org
1
Reposted by Pascal Junod
halvarflake.bsky.social
halvarflake.bsky.social @halvarflake.bsky.social · Sep 10
I have often stated that well-implemented memory tagging will be a game changer for memory corruptions. And it seems that with the next iPhone it's finally here: security.apple.com/blog/memory-...
Blog - Memory Integrity Enforcement: A complete vision for memory safety in Apple devices - Apple Security Research
Memory Integrity Enforcement (MIE) is the culmination of an unprecedented design and engineering effort spanning half a decade that combines the unique strengths of Apple silicon hardware with our adv...
security.apple.com
4 16 56
Reposted by Pascal Junod
cosic.bsky.social
COSIC @cosic.bsky.social · Sep 9
Check out the new open letter signed by more than 450 scientists who have serious concerns on the latest (July 2025) version of the chat control proposal. csa-scientist-open-letter.org/Sep2025
csa-scientist-open-letter.org
5 4
Reposted by Pascal Junod
signal.org
Signal @signal.org · Sep 8
Until now, if you lost or broke your phone, your Signal message history was *gone,* a real challenge for everyone whose most important conversations happen in Signal. So, with careful design and development, we’re rolling out opt-in secure backups.

signal.org/blog/introducing-secure-backups
Introducing Signal Secure Backups
In the past, if you broke or lost your phone, your Signal message history was gone. This has been a challenge for people whose most important conversations happen on Signal. Think family photos, sweet...
signal.org
18 210 680
cryptopathe.me
Pascal Junod @cryptopathe.me · Aug 21
"Stefan Wolf, der Gastgeber der Runde, formuliert seine Sorge klar: Die E-ID führe zur Überidentifizierung. [...] Wolf befürchtet, dass die E-ID mit der Zeit faktisch obligatorisch würde, selbst für Alltägliches wie den Einkauf in einem Onlineshop." ⬅️ Stefan nails it, this is a very valid point.
adfichter.bsky.social
Adrienne Fichter @adfichter.bsky.social · Aug 21
Ich hadere mit dem Thema... wie auch der Autor dieses Texts.
(zurück aus den Ferien, erscheint jetzt bald auch mein eigener Text).

#eID

www.woz.ch/2534/elektro...
Elektronische Identität: Eine Frage des Vertrauens
Bringt die E-ID mehr Demokratie und Selbstbestimmung – oder verschafft sie den Techkonzernen Zugang zu staatlich gesicherten Daten? Eine Suche nach Antworten am Fuss des Monte Brè.
www.woz.ch
4
Reposted by Pascal Junod
grapheneos.org
GrapheneOS @grapheneos.org · Aug 20
Swissquote has launched official support for GrapheneOS for their main app instead of it only being available for Yuh:

play.google.com/store/apps/d...

> What’s new
> - We now officially support GrapheneOS!
> - Bug fixes and minor improvements

They're verifying GrapheneOS via hardware attestation.
Swissquote - Apps on Google Play
Trade, invest and bank! Your all-in-one banking solution for smarter finances.
play.google.com
4 18 94
cryptopathe.me
Pascal Junod @cryptopathe.me · Aug 12
I guess that a trained mathematician is well aware that a single sample brings only little information about a large sample space 😅
cryptopathe.me
Pascal Junod @cryptopathe.me · Aug 12
We can agree on this point, and the security community is well aware of this fact. Yet, this is also the case for e.g., many important open-source projects that have experienced some success.
gro-tsen.bsky.social
Gro-Tsen @gro-tsen.bsky.social · Aug 12
And it misses the point, because the problem isn't just complexity, it's also the creation of a single point of failure: “Let's Encrypt” could either be taken down by a DDOS attack, or it could go out of business. And this would take down something like half of the Web.
1
cryptopathe.me
Pascal Junod @cryptopathe.me · Aug 12
This claim comes out of nowhere. On my side, I genuinely don’t remember last time I hit an expired certificate. Months, if not years ago.
gro-tsen.bsky.social
Gro-Tsen @gro-tsen.bsky.social · Aug 12
… and the claim is experimentally wrong because I encounter sites that are broken ALL THE TIME. If a system breaks all the time, it's not “easy”.

And, of course, like >99.99% of all users, I just click on “shut up and let me see the site” without checking anything. So the security is exactly zero.
2 1
cryptopathe.me
Pascal Junod @cryptopathe.me · Aug 12
No, “tremendous amount of complexity” and “absolute nightmare” is grossly over-exaggerated language. Most Linux distributions and web hosters make this experience uncomplicated.
gro-tsen.bsky.social
Gro-Tsen @gro-tsen.bsky.social · Aug 12
Finally, “it's really easy to configure an HTTPS-protected website” is both wrong and misses the point. It's wrong because it adds a tremendous amount of complexity (the Let's Encrypt renewal script is an absolute nightmare of bad documentation, incomprehensible options and dependencies); …
cryptopathe.me
Pascal Junod @cryptopathe.me · Aug 12
Today, it's really easy to configure an HTTPS-protected website and set up automatic renewals. Sometimes it breaks, but such mishaps do not justify denigrating HTTPS or Let's Encrypt, or spreading wrong facts if we look at the benefits they bring for safeguarding our privacy and online security 😒.
2
cryptopathe.me
Pascal Junod @cryptopathe.me · Aug 12
People having some minimal understanding of web and PGP security tend to not publish their private keys.
gro-tsen.bsky.social
Gro-Tsen @gro-tsen.bsky.social · Aug 12
2. The fallacy here 🔽 is that this offers a reasonable explanation why the KEY HOLDER may set an expiration date, but this is not a reason why the holder should be forced to do so.

PGP keys don't expire. You can't force security on people: they could well be publishing their secret key anyway.
cryptopathe.me
Pascal Junod @cryptopathe.me · Aug 12
2. Certificates need to expire for many reasons: (a) Cryptographic strength of algorithms changes over time (broken ciphers, insufficient key sizes) and certificate expiration ensures that old, weak certificates are automatically phased out.
1
cryptopathe.me
Pascal Junod @cryptopathe.me · Aug 12
Fair enough, they are referenced, but I meant they are ranked with very low priority if they compete with HTTPS-protected website on the same keywords.
gro-tsen.bsky.social
Gro-Tsen @gro-tsen.bsky.social · Aug 12
4. 🔽 So, first, the “search engines don't reference HTTP-only websites” is just flat-out completely wrong. Search “site:madore.org” www.google.com/search?q=sit... for proof. Search in Bing or DuckDuckGo if you want to check it's not a Google thing.
cryptopathe.me
Pascal Junod @cryptopathe.me · Aug 12
4. People don't set up HTTP-only websites anymore because search engines are not referencing them, and because browser vendors are pushing for HTTPS.
1
cryptopathe.me
Pascal Junod @cryptopathe.me · Aug 12
Reality force you to implement pragmatic solutions, which might not be perfectly adapted to any scenario or threat model.
gro-tsen.bsky.social
Gro-Tsen @gro-tsen.bsky.social · Aug 12
… And a threat model that makes sense for a banking site is completely different from a threat model for a webcomic (whose attack scenario is… uh… 🤔). The “one-size-fits-all” approach of HTTPS makes no sense because it tries to protect against Everything Everywhere All at Once.