I kept waiting for actionable advice, like maybe a site somewhere documenting the current best practices on common tasks, say securely implementing the complete lifecycle of encrypted sessions. Got to the end and it seems the advice, if there is one, is to pay some cryptography expert to review my system. And I have no idea if the author is a cryptography expert or an overconfident expert-wanna-be rolling their own crypto advice. So yeah, I agree.

Can HN give some actionable advice on dos, not don’ts (I already know all the don’t like don’t use OpenSSL primitives, don’t use AES-CBC, blah blah)?