(The Futility of) Keeping Secrets from Yourself

Many interesting problems in software design boil down to “I need my client application to know a secret, but I don’t want the user of that application (or malware) to be able to learn that secret.“ Some examples include: …and likely others. In general, if your design relies on having a client protect a secretContinue reading “(The Futility of) Keeping Secrets from Yourself”

Local Data Encryption in Chromium

Back in February, I wrote about browser password managers and mentioned that it’s important to understand the threat model when deciding how to implement features and their security protections. Generally speaking, “keeping secrets from yourself” is a fool’s errand, so it’s a waste of time and effort to encrypt data if you have to storeContinue reading “Local Data Encryption in Chromium”