Administered by:
@bagder PHK said if he was the NSA and wanted to undermine encryption on the Internet, an easy way would be to contribute patches with misleading docs, obfuscated code, and deceptive/insecure defaults to create the OpenSSL's API.
@kornel I don't believe that is "easy" at all.
@bagder the talk is a tongue in cheek. It makes semi-plausible observations how incessant bikeshedders, defeatist arguments, patches that bolt on ad-hoc features neglecting docs and overall architecture, etc. are close to what NSA could be doing to undermine projects, and have perfect deniability.
It was especially relevant at the time of Snowden leaks and Heartbleed.
@kornel I know. I actually saw his talk live at fosdem. I was only reacting on the notion that it would be easy to do any of it. Because I don't think so.
@bagder
And force people to use centralized SSL authentication certs and DNS systems.
And nag people to death about self-signed certs and cookies.
And centralize access to webmail.
And #EEE (#enshittify) most popular apps for encrypted communication.
Anticipated all this a decade before Docororow coined the word #Enshittification
@kornel
@hobs @bagder Yeah, these scenarios have happened anyway (although I don't agree with PHK on all of them). OpenSSL has accumulated a mountain of tech debt and a footgunny API, with or without NSAs help.
The custom QUIC impl nobody wants, and the obstruction of other impls may be an organic outcome, but it is what a spy agency would give promotions for.