7/4/2026 at 4:40:08 AM
This was a fun read.My introduction to threat modeling was from this post: https://www.privacyguides.org/en/basics/threat-modeling/
It's a bit shorter and focused for people interested in privacy.
by Cider9986
7/4/2026 at 12:35:49 AM
by zdw
7/4/2026 at 4:40:08 AM
This was a fun read.My introduction to threat modeling was from this post: https://www.privacyguides.org/en/basics/threat-modeling/
It's a bit shorter and focused for people interested in privacy.
by Cider9986
7/4/2026 at 8:24:22 AM
Really enjoyed this framing of threat modelling as a way to make assumptions explicit and not just a compliance checklist. It was also quite amusing and sassy. Well done to the author, great piece! The point that secure is meaningless without defining the adversary and assets is especially important. One thing it doesn't tackle that I would like to know more about is how do teams keep these assumptions and threat models current as the system and its environment evolve? I think that is a massive challenge.by raychis
7/4/2026 at 9:29:42 AM
[flagged]by ironimo
7/4/2026 at 9:29:51 AM
[flagged]by ironimo
7/4/2026 at 9:58:43 AM
Yes, your AI agent is making posts. Please stop.by tux3
7/4/2026 at 12:53:22 AM
This is the best gay furry blog post about threat modeling I've seen all day!by mapontosevenths
7/4/2026 at 11:40:17 AM
> Please remember that Dhole Moments is a furry blog before complaining about the furry art. It gets exhausting.Articles about cybersecurity gets 100% credibility when made by furries.
by Lucasoato
7/4/2026 at 1:35:24 PM
I wonder what the reaction would be if the folks beyond the HN crowd understood the extent to which the internet runs on queer / trans / catgirl / furry power?by phrotoma
7/4/2026 at 2:48:53 PM
Purhaps being furry is a mythical power amplifier, like a devil fruit for infosec. Imagine the power levels of Filippo Valsorda if he gains a fursona!by xeonmc
7/4/2026 at 11:06:46 AM
Maybe I shouldn't, but I stopped taking the author seriously for their lack of nuance/extremely biased views favouring Signal in every article about E2EE applied to IM. But I do agree that threat modeling is just a support to formalize and document the variables in the threat equation. It doesn't say anything about whether the threat is reasonable, legitimate and grounded in reality, so it's only knocking the subjectivity can a tad down the road.by ezst
7/4/2026 at 2:08:22 PM
perhaps not the kind of nuance you mean, but this post criticizes signal for not having a threat modelby throawayonthe
7/4/2026 at 4:20:42 PM
The author is an over-opinionated a*hole, so not taking him seriously is perfectly fine.by frmersdog
7/4/2026 at 11:47:18 AM
Does one have to be nuanced in everything one says? I'm not a fan of Signal's threat model, especially their historical threat models (e.g. acting like it's safe to link users to phone numbers, and then advertise which phone numbers are and aren't using Signal), but Signal's main protocol seems pretty solid, especially compared to some other systems.by wizzwizz4
7/4/2026 at 12:35:14 PM
> Does one have to be nuanced in everything one says?no, but unlike a computer, the real world isn't binary, and recognising that it's flawed and full of compromises generally heightens your chances of affecting it (by your ideas or actions).
> I'm not a fan of Signal's threat model […] but Signal's main protocol seems pretty solid, especially compared to some other systems.
My main gripe with Signal is that no amount of protocol sophistication can undo the problems linked to it being a centralised service. Soatok seems unable to acknowledge that centralisation is a real (privacy, security, reliability, political, …) concern here, nor to see value in the decentralised (federated/P2P) alternative protocols implementing the same double-ratched/PFS crypto primitives.
by ezst
7/4/2026 at 12:53:27 PM
> Soatok seems unable to acknowledge that centralisation is a real (privacy, security, reliability, political, …) concern here, nor to see value in the decentralised (federated/P2P) alternative protocols implementing the same double-ratched/PFS crypto primitives.I genuinely do not understand where this impression is coming fron. The only thing I've ever written about this topic acknowledges that centralization has risks, but a perfectly decentralized system that doesn't properly encrypt data end-to-end is bad for user privacy.
The cryptography needs to be excellent. "But decentralization" doesn't cut it.
https://soatok.blog/2025/07/09/jurisdiction-is-nearly-irrele...
Disagreeing with me is one thing, but claiming I seem "unable to acknowledge" anytbing is dishonest.
by some_furry
7/4/2026 at 12:02:39 PM
Maybe it's because I'm a bad writer, but I've heard from at least a half dozen people in recent years that they think I'm too pro-Signal when my actual stance wasn't "Signal is good" but rather "all these so-called alternatives suck ass when it comes to cryptography implementations".Signal pisses me off in a lot of ways.
If someone joins a group chat and posts horrific content, the admins cannot clean it up. This extremely basic functionality doesn't meet the most basic bar for group moderation and safety tools. This means a troll posting a high-frequency flashing GIF to a group chat full of epileptic people is going to cause real harm. This means someone joining a chat and posting unsolicited CSAM will legally imperil everyone present and the admins are powerless to intervene at all. They seem really indifferent on fixing this.
I would love for an alternative app to materialize that provided the same level of cryptographic excellence as Signal but without the enormous ego of their marketing teams or evangelists, which actually put a microgram of care into user experience and community safety. None of the alternatives people raise meet the bar, and I find it extremely disingenuous when people insist their privacy (which is a second-order property from their cryptographic implementations) is somehow "better than Signal". So when people do this, I tend to 0day their favored apps.
https://soatok.blog/encrypted-messaging-apps/
We, collectively, as an industry, should be able to do better. That we haven't is depressing.
by some_furry
7/4/2026 at 12:26:21 PM
You've written about the minimum bar before (https://soatok.blog/2024/07/31/what-does-it-mean-to-be-a-sig...). Have you written up your Signal criticisms / desired features anywhere? (Or, do you know where anyone else has?)I have my own ideas about requirements, but they're not concrete enough to say "requirements analysis done, let's start programming"; and most people I talk to haven't thought about this enough to be helpful.
by wizzwizz4
7/4/2026 at 12:29:14 PM
I've posted on the Signal Discourse and even had a colleague ask the Signal devs at Real World Crypto this year about this missing feature.No dice on either approach.
by some_furry
7/4/2026 at 4:01:05 AM
> Hybrid PQ+ECDH is a hedged bet against an algorithm break before Q-Day, but is utterly fucking useless over Pure PQ once Q-Day occurs.
there is also the likelihood that Q-Day never arrives, either because something we don't know prevents the construction of sufficiently large quantum computers (eg. quantum gravity) or because the entire field was a scam. in that scenario abandoning ECC would have been pretty stupid.
by teravor
7/4/2026 at 7:15:04 PM
There's a lot of stuff in this post I agree with. There's also a lot of stuff that hints that the author doesn't believe in the worst case they name: that there might be a classical cryptanalytic attack on ML-KEM that occurs before Q-day.by matthewdgreen
7/4/2026 at 8:49:20 PM
> there is also the likelihood that Q-Day never arrivesA lot of big players have accelerated their Q-day timelines fairly recently by years.
by esseph
7/4/2026 at 4:14:58 AM
Hi, I'm the author of this blog post!> there is also the likelihood that Q-Day never arrives, either because something we don't know prevents the construction of sufficiently large quantum computers (eg. quantum gravity)
That is possible, but given the recent 2029 timelines from large Internet providers, I think it's prudent to prepare for Q-Day even if it never arrives.
> or because the entire field was a scam.
The field is like... a magnet for scams, sure. But it, itself, isn't one.
And, like, the Quantum Village at DEFCON has really failed to establish credibility in my eyes.
https://soatok.blog/2022/08/18/burning-trust-at-the-quantum-...
https://soatok.blog/2023/08/20/defcon-quantum-village-2-elec...
> in that scenario abandoning ECC would have been pretty stupid.
Not really, no. See https://blog.trailofbits.com/2024/07/01/quantum-is-unimporta... for a counter-point.
by some_furry
7/4/2026 at 5:17:59 AM
> That is possible, but given the recent 2029 timelines from large Internet providers, I think it's prudent to prepare for Q-Day even if it never arrives.
no one argues we shouldn't. you made the argument that we should abandon ECC by not doing hybrid, in my opinion it's an extremely weak argument because it assumes Q-Day will arrive. don't change goalposts.the article you linked supports my position.
> the fear of the quantum doomsayers is based on a completely valid observation: the internet has put nearly all of its cryptographic eggs into the single basket of the hidden subgroup problem.
> By the time the next phase of standardization is over, we can expect to have algorithms based on at least three or four different mathematical problems. If one of the selected problems were to fall to advances in quantum or classical algorithms, there are readily-available replacements that are highly unlikely to be affected by attacks on the fallen cryptosystems.
in fact, it makes the argument (if not directly) for a concatenation of multiple schemes. I'm all for it, hybrid++.
by teravor
7/4/2026 at 5:30:43 AM
> you made the argument that we should abandon ECC by not doing hybrid,Where did I ever make that argument? In both TFA and my previous blog post, I've made it abundantly clear that I'm pro-hybrid.
My argument is simply:
1. The claimed benefits of ECDH hybridization evaporate immediately the moment Q-Day happens. No one disputes this.
2. Harvest Now, Decrypt Later (HNDL) is the primary threat we face today during the uncertain times where we don't know if Q-Day will ever happen.
Advocating for PQ+ECC hybrids over PQ is fine. But fear-mongering about PQ in this threat model is self-defeating: Once Q-Day happens, your only source of security is PQ anyway, so if we're going to do hybrids with today's threat model in mind, PQ+PQ is the way you really want to go (and PQ+PQ+EC if you really want EC). The blog post you're commenting on says this explicitly.
I'm not anti-hybrid. I'm anti "this is an NSA ploy" bullshit. And the IETF mailing list thread I'm mentioning is stuffed with this kind of irritating conspiracy theory rhetoric. I even link to, and quote, two examples of this.
by some_furry
7/4/2026 at 10:57:04 AM
>Once Q-Day happens, your only source of security is PQ anyway, so if we're going to do hybrids with today's threat model in mind, PQ+PQ is the way you really want to goI want to broadly agree but I still can't resist arguing :)
EC is really cheap on the CPU and I trust that libsodium's X25519 is implemented pretty solidly. After Q day, the $ price to break EC is still not negligible.
Whereas PQ+PQ is really expensive. I'm anti PQ+PQ hybrid just on cost. PQ+EC is practically free and still inflicts $'s on attackers after Q day (attacks do get cheaper and you discard the EC at some point, but practically I don't see EC as instantly worthless).
by tux3
7/4/2026 at 11:21:49 AM
I’ve seen arguments that PQ algorithms are easier to implement correctly than ECDH, thus reducing that risk. I’d have to try it myself to really asses that, but for now I believe them. I’d say the real cost is performance.by loup-vaillant
7/4/2026 at 11:39:13 AM
ML-KEM is faster than X25519. The only performance downside is public key/ciphertext size. https://quantumsecuritydefence.com/quantum-news/ml-kem-vs-x2...by some_furry
7/4/2026 at 11:18:01 AM
In your PQ safety blanket article https://soatok.blog/2026/04/13/hybrid-constructions-the-post... you make it pretty clear the reason you support hybrid is tactical, not cryptographic.Your wording ("Once Q-Day happens") strongly suggests Q-Day will happen, like, it’s so certain you don’t even need to state it explicitly, you can just assume it will. And your references to the PQ timeline give the impression that you think it will likely happen soon.
It’s pretty clear from there that you think ECDH is now technically useless, and the only real justification for hybrid schemes (as opposed to pure PQ), is to reassure the people still unsure about the likes of ML-KEM. Sure you still do recommend going hybrid, but from what I can tell, you would have preferred a world where we go pure PQ right away.
And so would I to be honest (if ECC is a bust): one algorithm is simpler and faster than two.
by loup-vaillant
7/4/2026 at 11:44:47 AM
> In your PQ safety blanket article https://soatok.blog/2026/04/13/hybrid-constructions-the-post... you make it pretty clear the reason you support hybrid is tactical, not cryptographic.What does it matter that my public arguments are tactical? Hybrid gets us to PQ faster, which makes progress on plugging up the HNDL risk.
> Your wording ("Once Q-Day happens") strongly suggests Q-Day will happen, like, it’s so certain you don’t even need to state it explicitly, you can just assume it will.
The literal opening section is talking about recent changes in direction from large Internet providers about quantum computing risks.
The rest of the article is predicated on "these companies' risk assessment turns out to be correct".
Separately, in https://soatok.blog/2024/09/13/e2ee-for-the-fediverse-update... I wrote more about my actual beliefs about the likelihood of Q-Day.
> It’s pretty clear from there that you think ECDH is now technically useless, and the only real justification for hybrid schemes (as opposed to pure PQ), is to reassure the people still unsure about the likes of ML-KEM. Sure you still do recommend going hybrid, but from what I can tell, you would have preferred a world where we go pure PQ right away.
You are extrapolating from the subsidiary clause of an if statement whose truth value I do not claim to know.
> And so would I to be honest (if ECC is a bust): one algorithm is simpler and faster than two.
Sure.
by some_furry
7/4/2026 at 4:20:22 PM
> recent changes in direction from large Internet providers about quantum computing risks.Do we have reason to suspect Google and Cloudflare have inside knowledge about quantum computers? To me this is more about the end of the NIST contest, and that one has no bearing on actual advances in quantum computing.
> The rest of the article is predicated on "these companies' risk assessment turns out to be correct".
Err, where did you wrote that? I can’t find it in your last two articles.
> You are extrapolating from […]
I exptrapolate mostly from this:
"I generally prefer hybrid KEMs–not out of any practical concern over ML-KEM’s security (or any other PQ KEMs, generally), but for reasons I’ll explain later in this blog post."
And this:
"Hybrid KEMs are an easier sell to people who are not cryptography experts than pure post-quantum KEMs for reasons that are mostly related to psychological safety than cryptographic safety."
https://soatok.blog/2026/04/13/hybrid-constructions-the-post...
Sorry if I’m misinterpreting, but as you can see I’m not the only one.
---
Anyway, good article on threat models.
by loup-vaillant
7/4/2026 at 8:52:29 PM
> Do we have reason to suspect Google and Cloudflare have inside knowledge about quantum computers?Yes.
Both have internal global security orgs that are constantly communicating with other large companies and governments. If they are accelerating (as are others), it is a signal.
The reliability of that signal is up to the reader to determine.
https://www.microsoft.com/en-us/security/blog/2026/06/30/mic...
by esseph
7/4/2026 at 4:24:57 PM
> Err, where did you wrote that? I can’t find it in your last two articles.Just now. In an HN comment.
I write in conversational English. I'm not always going to meticulously write everything like a formal argument might.
If you didn't understand that what I wrote later in a blog post was predicated on an assumption established in the intro, but would have if I wrote an explicit transitional sentence, that's useful feedback. But if you're treating an informal blog post like a court filing, you might be setting yourself up for disappointment.
by some_furry
7/4/2026 at 5:21:47 PM
> I write in conversational English.Fair enough.
When I write an article (and to a lesser extent even a comment like here), I tend to agonise over every sentence. I’m guessing I’m kinda assuming others do the same. Except of course they don’t.
by loup-vaillant
7/4/2026 at 5:26:19 PM
It depends what I'm doing.My dayjob involves a lot of code review and protocol cryptanalysis, so I agonize quite a bit there.
My blog would be less fun if I maintained the same level of rigor. If that makes any sense. ^^;
by some_furry
7/4/2026 at 6:34:38 PM
It does :-)by loup-vaillant
7/4/2026 at 6:37:54 AM
I’m a passive observer on the same list and have been for at least several years. I don’t plan to comment on the WGLC currently going on… but I will be so extremely happy once the subject is done with.It’s like watching a cybersecurity version of Dawsons Creek or The Young and the Restless or… Jerry Springer?! Insane
by yardstick
7/4/2026 at 5:35:24 AM
in that case my mistake. i always assumed that the `NSA ploy` was strategic bullshit, the sort of thing you say to get support from NSA haters.it wouldn't even occur to me that someone would take time addressing it without being one of those anti-hybrid people.
by teravor
7/4/2026 at 3:57:23 PM
Is there any downside to hybrid schemes other than using a bit more compute? If so than merely being able to hedge against unknown classical algorithmic flaws in the PQC candidates (which are not nearly as battle tested as ECC) seems like enough of a reason to do it.by ls612
7/4/2026 at 4:02:47 PM
Read https://soatok.blog/2026/04/13/hybrid-constructions-the-post... for a longer explanation.The main thing I want to stress here is: I'm not anti-hybrid. Some people are. They tend to argue that less code / complexity is better, but you'll want to find one of them to ask directly.
by some_furry
7/4/2026 at 4:22:56 PM
So the argument boils down to1. A mathematical attack against the PQC candidates would also break ECC (I have no ability to judge this claim).
2. Implementation bugs also exist in classical implementations.
#2 seems questionable to me unless you think the same implementation bugs will exist in Curve25519 and whatever PQC algorithm you are using. If the concern is side-channel attacks then that is irrelevant to a HNDL attack. But for most communications the cost of a HNDL attack being executed several years minimum from now is far lower than the cost of an implementation bug in ML-KEM breaking their security today. Whereas Curve25519 is very well tested in its standard implementations.
by ls612
7/4/2026 at 5:37:31 PM
You mostly got it, yeah. Point 1, ECC is only also broken after Q-Day.Hybrids obviously help if you believe Q-Day is far into the future, or never coming.
But if you take Q-Day happening as possible in our lifetime, the HNDL threat means data being encrypted today depends entirely on PQ security in the long run (since breaking EC with a Quantum Computer has an attack cost of like 2^30 or so instead of 2^120 or so).
by some_furry
7/4/2026 at 8:53:57 PM
So it seems like it comes down to a question of risk and cost. If your threat model is that it is much more costly for your communications to be decrypted today vs in 10 years then hybrid is a good strategy.by ls612
7/4/2026 at 12:50:29 AM
Wow, excellent guide! And I love the E2EE example.by evanprodromou