Comment by aleqs
7 hours ago
You have no control about where TLS is terminated when you're talking to a 3p cloud service (with services you don't control/run like cloud LLM APIs). You also have no control about what spyware is installed on/around VMs you rent (and there's a lot). Also when talking about encryption between servers within datacenters you seem to be missing that in order for such multi -stage/path encryption (separate certs/keys) to be possible the data first has to be decrypted at each point, not to mention every major US tech company generally cooperates with the NSA and gives them access to anything they request (including allowing the installation of dedicated hardware to intercept decrypted traffic as has been publicly exposed documented many times already).
Yours and others' claims that it's impossible and nonsensical is based on lack of understanding.
Yours and others' claims that things somehow got better after Snowden is just a completely baseless statement - if you actually looked into what happened post-Snowden - absolutely nothing was done to prevent NSA spying on any communications they want, in fact it got significantly worse.
> Yours and others' claims that it's impossible and nonsensical is based on lack of understanding.
lol, no, it's really not.
> Also when talking about encryption between servers within datacenters you seem to be missing that in order for such multi -stage/path encryption (separate certs/keys) to be possible the data first has to be decrypted at each point
Why would I want the data to be decrypted at each point and why would datacenters do that? Encrypting and decrypting data is expensive computationally, so that's not how things work at all. There's no need to decrypt data to know where it needs to go. That's why we have TCP/IP and other similar stadards.
The datacenters can maybe add another layer of encryption on top of my data as its moving around their networks, but there's absolutely no way for them to strip off my encryption.
> Yours and others' claims that things somehow got better after Snowden is just a completely baseless statement
Things didn't magically get better. A lot of people worked hard to improve the overall security posture of the industry.
> lol, no, it's really not.
Yeah it definitely is lol.
> Why would I want the data to be decrypted at each point and why would datacenters do that?
When we talk about data that is sent for processing to a 3p server (like anthropic in this case) the data obviously needs to be decrypted to be processed.
As to why data is decrypted at each point in a typical large backend system - because other than network routing there are presumably multiple services that need to receive and act on this data somehow - you're not just sending encrypted data around to random servers.
> there's absolutely no way for them to strip off my encryption.
You don't seem to understand that you have no control over the encryption or decryption done on the backends of cloud services you use. I don't know how to make it more simple and obvious at this point.
Again, the context here is Anthropic and sending your data to their (or any other big tech API). But even if we move away from this model and suppose you are running your own services on rented cloud VM - then it should be obvious that you don't have full control or even access to this VM... any actor with access can install or modify any software, install/modify EBPF, modified crypto libraries, etc. - you have absolutely no control or say over this.
> Things didn't magically get better.
Things didn't get better at all, they got much worse.
> Why would I want the data to be decrypted at each point and why would datacenters do that?
I think they mean the data must have existed in plain text before it was encrypted, and will exist in plain text after it is decrypted.
At some point “your” server in a datacenter somewhere needs to decrypt the data to do something useful with it, after all you’re paying for compute, and homeomorphic encryption is too slow, so the work is done in unencrypted data.
There it is. Your data in plain text in RAM.
TLS will protect your data in transit, but it can’t protect you against a compromised recipient.