It's a bit shorter and focused for people interested in privacy.
raychis 10 hours ago [-]
Really enjoyed this framing of threat modelling as a way to make assumptions explicit and not just a compliance checklist. It was also quite amusing and sassy. Well done to the author, great piece!
The point that secure is meaningless without defining the adversary and assets is especially important.
One thing it doesn't tackle that I would like to know more about is how do teams keep these assumptions and threat models current as the system and its environment evolve? I think that is a massive challenge.
ironimo 9 hours ago [-]
[flagged]
ironimo 9 hours ago [-]
[flagged]
tux3 8 hours ago [-]
Yes, your AI agent is making posts. Please stop.
mapontosevenths 17 hours ago [-]
This is the best gay furry blog post about threat modeling I've seen all day!
6 hours ago [-]
Lucasoato 7 hours ago [-]
> Please remember that Dhole Moments is a furry blog before complaining about the furry art. It gets exhausting.
Articles about cybersecurity gets 100% credibility when made by furries.
phrotoma 5 hours ago [-]
I wonder what the reaction would be if the folks beyond the HN crowd understood the extent to which the internet runs on queer / trans / catgirl / furry power?
xeonmc 4 hours ago [-]
Purhaps being furry is a mythical power amplifier, like a devil fruit for infosec. Imagine the power levels of Filippo Valsorda if he gains a fursona!
4 hours ago [-]
ezst 7 hours ago [-]
Maybe I shouldn't, but I stopped taking the author seriously for their lack of nuance/extremely biased views favouring Signal in every article about E2EE applied to IM. But I do agree that threat modeling is just a support to formalize and document the variables in the threat equation. It doesn't say anything about whether the threat is reasonable, legitimate and grounded in reality, so it's only knocking the subjectivity can a tad down the road.
frmersdog 2 hours ago [-]
The author is an over-opinionated a*hole, so not taking him seriously is perfectly fine.
throawayonthe 4 hours ago [-]
perhaps not the kind of nuance you mean, but this post criticizes signal for not having a threat model
wizzwizz4 7 hours ago [-]
Does one have to be nuanced in everything one says? I'm not a fan of Signal's threat model, especially their historical threat models (e.g. acting like it's safe to link users to phone numbers, and then advertise which phone numbers are and aren't using Signal), but Signal's main protocol seems pretty solid, especially compared to some other systems.
ezst 6 hours ago [-]
> Does one have to be nuanced in everything one says?
no, but unlike a computer, the real world isn't binary, and recognising that it's flawed and full of compromises generally heightens your chances of affecting it (by your ideas or actions).
> I'm not a fan of Signal's threat model […] but Signal's main protocol seems pretty solid, especially compared to some other systems.
My main gripe with Signal is that no amount of protocol sophistication can undo the problems linked to it being a centralised service. Soatok seems unable to acknowledge that centralisation is a real (privacy, security, reliability, political, …) concern here, nor to see value in the decentralised (federated/P2P) alternative protocols implementing the same double-ratched/PFS crypto primitives.
some_furry 5 hours ago [-]
> Soatok seems unable to acknowledge that centralisation is a real (privacy, security, reliability, political, …) concern here, nor to see value in the decentralised (federated/P2P) alternative protocols implementing the same double-ratched/PFS crypto primitives.
I genuinely do not understand where this impression is coming fron. The only thing I've ever written about this topic acknowledges that centralization has risks, but a perfectly decentralized system that doesn't properly encrypt data end-to-end is bad for user privacy.
The cryptography needs to be excellent. "But decentralization" doesn't cut it.
Disagreeing with me is one thing, but claiming I seem "unable to acknowledge" anytbing is dishonest.
some_furry 6 hours ago [-]
Maybe it's because I'm a bad writer, but I've heard from at least a half dozen people in recent years that they think I'm too pro-Signal when my actual stance wasn't "Signal is good" but rather "all these so-called alternatives suck ass when it comes to cryptography implementations".
Signal pisses me off in a lot of ways.
If someone joins a group chat and posts horrific content, the admins cannot clean it up. This extremely basic functionality doesn't meet the most basic bar for group moderation and safety tools. This means a troll posting a high-frequency flashing GIF to a group chat full of epileptic people is going to cause real harm. This means someone joining a chat and posting unsolicited CSAM will legally imperil everyone present and the admins are powerless to intervene at all. They seem really indifferent on fixing this.
I would love for an alternative app to materialize that provided the same level of cryptographic excellence as Signal but without the enormous ego of their marketing teams or evangelists, which actually put a microgram of care into user experience and community safety. None of the alternatives people raise meet the bar, and I find it extremely disingenuous when people insist their privacy (which is a second-order property from their cryptographic implementations) is somehow "better than Signal". So when people do this, I tend to 0day their favored apps.
I have my own ideas about requirements, but they're not concrete enough to say "requirements analysis done, let's start programming"; and most people I talk to haven't thought about this enough to be helpful.
some_furry 6 hours ago [-]
I've posted on the Signal Discourse and even had a colleague ask the Signal devs at Real World Crypto this year about this missing feature.
No dice on either approach.
teravor 14 hours ago [-]
> Hybrid PQ+ECDH is a hedged bet against an algorithm break before Q-Day, but is utterly fucking useless over Pure PQ once Q-Day occurs.
there is also the likelihood that Q-Day never arrives, either because something we don't know prevents the construction of sufficiently large quantum computers (eg. quantum gravity) or because the entire field was a scam. in that scenario abandoning ECC would have been pretty stupid.
some_furry 14 hours ago [-]
Hi, I'm the author of this blog post!
> there is also the likelihood that Q-Day never arrives, either because something we don't know prevents the construction of sufficiently large quantum computers (eg. quantum gravity)
That is possible, but given the recent 2029 timelines from large Internet providers, I think it's prudent to prepare for Q-Day even if it never arrives.
> or because the entire field was a scam.
The field is like... a magnet for scams, sure. But it, itself, isn't one.
And, like, the Quantum Village at DEFCON has really failed to establish credibility in my eyes.
> That is possible, but given the recent 2029 timelines from large Internet providers, I think it's prudent to prepare for Q-Day even if it never arrives.
no one argues we shouldn't. you made the argument that we should abandon ECC by not doing hybrid, in my opinion it's an extremely weak argument because it assumes Q-Day will arrive. don't change goalposts.
the article you linked supports my position.
> the fear of the quantum doomsayers is based on a completely valid observation: the internet has put nearly all of its cryptographic eggs into the single basket of the hidden subgroup problem.
> By the time the next phase of standardization is over, we can expect to have algorithms based on at least three or four different mathematical problems. If one of the selected problems were to fall to advances in quantum or classical algorithms, there are readily-available replacements that are highly unlikely to be affected by attacks on the fallen cryptosystems.
in fact, it makes the argument (if not directly) for a concatenation of multiple schemes. I'm all for it, hybrid++.
some_furry 13 hours ago [-]
> you made the argument that we should abandon ECC by not doing hybrid,
Where did I ever make that argument? In both TFA and my previous blog post, I've made it abundantly clear that I'm pro-hybrid.
My argument is simply:
1. The claimed benefits of ECDH hybridization evaporate immediately the moment Q-Day happens. No one disputes this.
2. Harvest Now, Decrypt Later (HNDL) is the primary threat we face today during the uncertain times where we don't know if Q-Day will ever happen.
Advocating for PQ+ECC hybrids over PQ is fine. But fear-mongering about PQ in this threat model is self-defeating: Once Q-Day happens, your only source of security is PQ anyway, so if we're going to do hybrids with today's threat model in mind, PQ+PQ is the way you really want to go (and PQ+PQ+EC if you really want EC). The blog post you're commenting on says this explicitly.
I'm not anti-hybrid. I'm anti "this is an NSA ploy" bullshit. And the IETF mailing list thread I'm mentioning is stuffed with this kind of irritating conspiracy theory rhetoric. I even link to, and quote, two examples of this.
tux3 7 hours ago [-]
>Once Q-Day happens, your only source of security is PQ anyway, so if we're going to do hybrids with today's threat model in mind, PQ+PQ is the way you really want to go
I want to broadly agree but I still can't resist arguing :)
EC is really cheap on the CPU and I trust that libsodium's X25519 is implemented pretty solidly. After Q day, the $ price to break EC is still not negligible.
Whereas PQ+PQ is really expensive. I'm anti PQ+PQ hybrid just on cost. PQ+EC is practically free and still inflicts $'s on attackers after Q day (attacks do get cheaper and you discard the EC at some point, but practically I don't see EC as instantly worthless).
loup-vaillant 7 hours ago [-]
I’ve seen arguments that PQ algorithms are easier to implement correctly than ECDH, thus reducing that risk. I’d have to try it myself to really asses that, but for now I believe them. I’d say the real cost is performance.
Your wording ("Once Q-Day happens") strongly suggests Q-Day will happen, like, it’s so certain you don’t even need to state it explicitly, you can just assume it will. And your references to the PQ timeline give the impression that you think it will likely happen soon.
It’s pretty clear from there that you think ECDH is now technically useless, and the only real justification for hybrid schemes (as opposed to pure PQ), is to reassure the people still unsure about the likes of ML-KEM. Sure you still do recommend going hybrid, but from what I can tell, you would have preferred a world where we go pure PQ right away.
And so would I to be honest (if ECC is a bust): one algorithm is simpler and faster than two.
What does it matter that my public arguments are tactical? Hybrid gets us to PQ faster, which makes progress on plugging up the HNDL risk.
> Your wording ("Once Q-Day happens") strongly suggests Q-Day will happen, like, it’s so certain you don’t even need to state it explicitly, you can just assume it will.
The literal opening section is talking about recent changes in direction from large Internet providers about quantum computing risks.
The rest of the article is predicated on "these companies' risk assessment turns out to be correct".
> It’s pretty clear from there that you think ECDH is now technically useless, and the only real justification for hybrid schemes (as opposed to pure PQ), is to reassure the people still unsure about the likes of ML-KEM. Sure you still do recommend going hybrid, but from what I can tell, you would have preferred a world where we go pure PQ right away.
You are extrapolating from the subsidiary clause of an if statement whose truth value I do not claim to know.
> And so would I to be honest (if ECC is a bust): one algorithm is simpler and faster than two.
Sure.
loup-vaillant 2 hours ago [-]
> recent changes in direction from large Internet providers about quantum computing risks.
Do we have reason to suspect Google and Cloudflare have inside knowledge about quantum computers? To me this is more about the end of the NIST contest, and that one has no bearing on actual advances in quantum computing.
> The rest of the article is predicated on "these companies' risk assessment turns out to be correct".
Err, where did you wrote that? I can’t find it in your last two articles.
> You are extrapolating from […]
I exptrapolate mostly from this:
"I generally prefer hybrid KEMs–not out of any practical concern over ML-KEM’s security (or any other PQ KEMs, generally), but for reasons I’ll explain later in this blog post."
And this:
"Hybrid KEMs are an easier sell to people who are not cryptography experts than pure post-quantum KEMs for reasons that are mostly related to psychological safety than cryptographic safety."
Sorry if I’m misinterpreting, but as you can see I’m not the only one.
---
Anyway, good article on threat models.
some_furry 2 hours ago [-]
> Err, where did you wrote that? I can’t find it in your last two articles.
Just now. In an HN comment.
I write in conversational English. I'm not always going to meticulously write everything like a formal argument might.
If you didn't understand that what I wrote later in a blog post was predicated on an assumption established in the intro, but would have if I wrote an explicit transitional sentence, that's useful feedback. But if you're treating an informal blog post like a court filing, you might be setting yourself up for disappointment.
loup-vaillant 1 hours ago [-]
> I write in conversational English.
Fair enough.
When I write an article (and to a lesser extent even a comment like here), I tend to agonise over every sentence. I’m guessing I’m kinda assuming others do the same. Except of course they don’t.
some_furry 56 minutes ago [-]
It depends what I'm doing.
My dayjob involves a lot of code review and protocol cryptanalysis, so I agonize quite a bit there.
My blog would be less fun if I maintained the same level of rigor. If that makes any sense. ^^;
yardstick 12 hours ago [-]
I’m a passive observer on the same list and have been for at least several years. I don’t plan to comment on the WGLC currently going on… but I will be so extremely happy once the subject is done with.
It’s like watching a cybersecurity version of Dawsons Creek or The Young and the Restless or… Jerry Springer?! Insane
teravor 13 hours ago [-]
in that case my mistake. i always assumed that the `NSA ploy` was strategic bullshit, the sort of thing you say to get support from NSA haters.
it wouldn't even occur to me that someone would take time addressing it without being one of those anti-hybrid people.
ls612 2 hours ago [-]
Is there any downside to hybrid schemes other than using a bit more compute? If so than merely being able to hedge against unknown classical algorithmic flaws in the PQC candidates (which are not nearly as battle tested as ECC) seems like enough of a reason to do it.
The main thing I want to stress here is: I'm not anti-hybrid. Some people are. They tend to argue that less code / complexity is better, but you'll want to find one of them to ask directly.
ls612 2 hours ago [-]
So the argument boils down to
1. A mathematical attack against the PQC candidates would also break ECC (I have no ability to judge this claim).
2. Implementation bugs also exist in classical implementations.
#2 seems questionable to me unless you think the same implementation bugs will exist in Curve25519 and whatever PQC algorithm you are using. If the concern is side-channel attacks then that is irrelevant to a HNDL attack. But for most communications the cost of a HNDL attack being executed several years minimum from now is far lower than the cost of an implementation bug in ML-KEM breaking their security today. Whereas Curve25519 is very well tested in its standard implementations.
some_furry 45 minutes ago [-]
You mostly got it, yeah. Point 1, ECC is only also broken after Q-Day.
Hybrids obviously help if you believe Q-Day is far into the future, or never coming.
But if you take Q-Day happening as possible in our lifetime, the HNDL threat means data being encrypted today depends entirely on PQ security in the long run (since breaking EC with a Quantum Computer has an attack cost of like 2^30 or so instead of 2^120 or so).
evanprodromou 18 hours ago [-]
Wow, excellent guide! And I love the E2EE example.
My introduction to threat modeling was from this post: https://www.privacyguides.org/en/basics/threat-modeling/
It's a bit shorter and focused for people interested in privacy.
Articles about cybersecurity gets 100% credibility when made by furries.
no, but unlike a computer, the real world isn't binary, and recognising that it's flawed and full of compromises generally heightens your chances of affecting it (by your ideas or actions).
> I'm not a fan of Signal's threat model […] but Signal's main protocol seems pretty solid, especially compared to some other systems.
My main gripe with Signal is that no amount of protocol sophistication can undo the problems linked to it being a centralised service. Soatok seems unable to acknowledge that centralisation is a real (privacy, security, reliability, political, …) concern here, nor to see value in the decentralised (federated/P2P) alternative protocols implementing the same double-ratched/PFS crypto primitives.
I genuinely do not understand where this impression is coming fron. The only thing I've ever written about this topic acknowledges that centralization has risks, but a perfectly decentralized system that doesn't properly encrypt data end-to-end is bad for user privacy.
The cryptography needs to be excellent. "But decentralization" doesn't cut it.
https://soatok.blog/2025/07/09/jurisdiction-is-nearly-irrele...
Disagreeing with me is one thing, but claiming I seem "unable to acknowledge" anytbing is dishonest.
Signal pisses me off in a lot of ways.
If someone joins a group chat and posts horrific content, the admins cannot clean it up. This extremely basic functionality doesn't meet the most basic bar for group moderation and safety tools. This means a troll posting a high-frequency flashing GIF to a group chat full of epileptic people is going to cause real harm. This means someone joining a chat and posting unsolicited CSAM will legally imperil everyone present and the admins are powerless to intervene at all. They seem really indifferent on fixing this.
I would love for an alternative app to materialize that provided the same level of cryptographic excellence as Signal but without the enormous ego of their marketing teams or evangelists, which actually put a microgram of care into user experience and community safety. None of the alternatives people raise meet the bar, and I find it extremely disingenuous when people insist their privacy (which is a second-order property from their cryptographic implementations) is somehow "better than Signal". So when people do this, I tend to 0day their favored apps.
https://soatok.blog/encrypted-messaging-apps/
We, collectively, as an industry, should be able to do better. That we haven't is depressing.
I have my own ideas about requirements, but they're not concrete enough to say "requirements analysis done, let's start programming"; and most people I talk to haven't thought about this enough to be helpful.
No dice on either approach.
> there is also the likelihood that Q-Day never arrives, either because something we don't know prevents the construction of sufficiently large quantum computers (eg. quantum gravity)
That is possible, but given the recent 2029 timelines from large Internet providers, I think it's prudent to prepare for Q-Day even if it never arrives.
> or because the entire field was a scam.
The field is like... a magnet for scams, sure. But it, itself, isn't one.
And, like, the Quantum Village at DEFCON has really failed to establish credibility in my eyes.
https://soatok.blog/2022/08/18/burning-trust-at-the-quantum-...
https://soatok.blog/2023/08/20/defcon-quantum-village-2-elec...
> in that scenario abandoning ECC would have been pretty stupid.
Not really, no. See https://blog.trailofbits.com/2024/07/01/quantum-is-unimporta... for a counter-point.
the article you linked supports my position.
in fact, it makes the argument (if not directly) for a concatenation of multiple schemes. I'm all for it, hybrid++.Where did I ever make that argument? In both TFA and my previous blog post, I've made it abundantly clear that I'm pro-hybrid.
My argument is simply:
1. The claimed benefits of ECDH hybridization evaporate immediately the moment Q-Day happens. No one disputes this.
2. Harvest Now, Decrypt Later (HNDL) is the primary threat we face today during the uncertain times where we don't know if Q-Day will ever happen.
Advocating for PQ+ECC hybrids over PQ is fine. But fear-mongering about PQ in this threat model is self-defeating: Once Q-Day happens, your only source of security is PQ anyway, so if we're going to do hybrids with today's threat model in mind, PQ+PQ is the way you really want to go (and PQ+PQ+EC if you really want EC). The blog post you're commenting on says this explicitly.
I'm not anti-hybrid. I'm anti "this is an NSA ploy" bullshit. And the IETF mailing list thread I'm mentioning is stuffed with this kind of irritating conspiracy theory rhetoric. I even link to, and quote, two examples of this.
I want to broadly agree but I still can't resist arguing :)
EC is really cheap on the CPU and I trust that libsodium's X25519 is implemented pretty solidly. After Q day, the $ price to break EC is still not negligible.
Whereas PQ+PQ is really expensive. I'm anti PQ+PQ hybrid just on cost. PQ+EC is practically free and still inflicts $'s on attackers after Q day (attacks do get cheaper and you discard the EC at some point, but practically I don't see EC as instantly worthless).
Your wording ("Once Q-Day happens") strongly suggests Q-Day will happen, like, it’s so certain you don’t even need to state it explicitly, you can just assume it will. And your references to the PQ timeline give the impression that you think it will likely happen soon.
It’s pretty clear from there that you think ECDH is now technically useless, and the only real justification for hybrid schemes (as opposed to pure PQ), is to reassure the people still unsure about the likes of ML-KEM. Sure you still do recommend going hybrid, but from what I can tell, you would have preferred a world where we go pure PQ right away.
And so would I to be honest (if ECC is a bust): one algorithm is simpler and faster than two.
What does it matter that my public arguments are tactical? Hybrid gets us to PQ faster, which makes progress on plugging up the HNDL risk.
> Your wording ("Once Q-Day happens") strongly suggests Q-Day will happen, like, it’s so certain you don’t even need to state it explicitly, you can just assume it will.
The literal opening section is talking about recent changes in direction from large Internet providers about quantum computing risks.
The rest of the article is predicated on "these companies' risk assessment turns out to be correct".
Separately, in https://soatok.blog/2024/09/13/e2ee-for-the-fediverse-update... I wrote more about my actual beliefs about the likelihood of Q-Day.
> It’s pretty clear from there that you think ECDH is now technically useless, and the only real justification for hybrid schemes (as opposed to pure PQ), is to reassure the people still unsure about the likes of ML-KEM. Sure you still do recommend going hybrid, but from what I can tell, you would have preferred a world where we go pure PQ right away.
You are extrapolating from the subsidiary clause of an if statement whose truth value I do not claim to know.
> And so would I to be honest (if ECC is a bust): one algorithm is simpler and faster than two.
Sure.
Do we have reason to suspect Google and Cloudflare have inside knowledge about quantum computers? To me this is more about the end of the NIST contest, and that one has no bearing on actual advances in quantum computing.
> The rest of the article is predicated on "these companies' risk assessment turns out to be correct".
Err, where did you wrote that? I can’t find it in your last two articles.
> You are extrapolating from […]
I exptrapolate mostly from this:
"I generally prefer hybrid KEMs–not out of any practical concern over ML-KEM’s security (or any other PQ KEMs, generally), but for reasons I’ll explain later in this blog post."
And this:
"Hybrid KEMs are an easier sell to people who are not cryptography experts than pure post-quantum KEMs for reasons that are mostly related to psychological safety than cryptographic safety."
https://soatok.blog/2026/04/13/hybrid-constructions-the-post...
Sorry if I’m misinterpreting, but as you can see I’m not the only one.
---
Anyway, good article on threat models.
Just now. In an HN comment.
I write in conversational English. I'm not always going to meticulously write everything like a formal argument might.
If you didn't understand that what I wrote later in a blog post was predicated on an assumption established in the intro, but would have if I wrote an explicit transitional sentence, that's useful feedback. But if you're treating an informal blog post like a court filing, you might be setting yourself up for disappointment.
Fair enough.
When I write an article (and to a lesser extent even a comment like here), I tend to agonise over every sentence. I’m guessing I’m kinda assuming others do the same. Except of course they don’t.
My dayjob involves a lot of code review and protocol cryptanalysis, so I agonize quite a bit there.
My blog would be less fun if I maintained the same level of rigor. If that makes any sense. ^^;
It’s like watching a cybersecurity version of Dawsons Creek or The Young and the Restless or… Jerry Springer?! Insane
it wouldn't even occur to me that someone would take time addressing it without being one of those anti-hybrid people.
The main thing I want to stress here is: I'm not anti-hybrid. Some people are. They tend to argue that less code / complexity is better, but you'll want to find one of them to ask directly.
1. A mathematical attack against the PQC candidates would also break ECC (I have no ability to judge this claim).
2. Implementation bugs also exist in classical implementations.
#2 seems questionable to me unless you think the same implementation bugs will exist in Curve25519 and whatever PQC algorithm you are using. If the concern is side-channel attacks then that is irrelevant to a HNDL attack. But for most communications the cost of a HNDL attack being executed several years minimum from now is far lower than the cost of an implementation bug in ML-KEM breaking their security today. Whereas Curve25519 is very well tested in its standard implementations.
Hybrids obviously help if you believe Q-Day is far into the future, or never coming.
But if you take Q-Day happening as possible in our lifetime, the HNDL threat means data being encrypted today depends entirely on PQ security in the long run (since breaking EC with a Quantum Computer has an attack cost of like 2^30 or so instead of 2^120 or so).