I think that this isn't strictly true. If you naïvely apply bad encryption before good you may weaken the entire system. For a silly example, imagine your "homegrown" crypto adds a publicly known plaintext to the start of the cyphertext. I think this is discussed in Schneier's textbook.
> If you naïvely apply bad encryption before good you may weaken the entire system
The strength of the system can be viewed from multiple angles. From a practical angle, applying one kind of commercial encryption on top of another type of commercial encryption turns it into a technically weaker, but unique cryptosystem. And uniqueness has value if you're just a single fish in a big pond.
For instance, if one single An0m customer had applied a caesar cypher to their communications, the cops might have skipped over him due to the unknown cost of putting dedicated crypto effort into one person in a massive dragnet.
So? https it adds a publicly known header at beginning of any connection anyway and I don't see public key encryption being cracked anyway. Or blockchains do that too, are wallets being emptied by the ones that don't have the private key?
And since you mentioned Schneier textbook, he also said that a good safe is the one that you give to your adversaries with the blue print of how it's made and still is uncracked, not the one that you dump in the middle of the ocean and ask your adversaries to crack it (security through obscurity).
PGP is still uncracked, if I'd become a criminal then public PGP with at least 8k bits key would be my choice.
> PGP is still uncracked, if I'd become a criminal then public PGP with at least 8k bits key would be my choice.
It's not PGP that is uncracked, PGP is a set of tools built on top of RSA. RSA is still secure (other than brute force factoring) with appropriately sized keys.
The biggest problem with PGP isn't PGP itself, it's your opsec approach to everything else. Example... after decrypting a PGP payload - did you save it to disk unencrypted? Did the recipients to your messages save it unencrypted? Are any machines infected with keyloggers? PGP is a great tool, but still requires good opsec overall.
You're technically right, but it's practically true for good algorithms. Yes, if you apply a rot(-13) before your rot(13) "encryption" it's going to make it worse.
I think that if we are going to be concerned about multiple layers of encryption, as you say, then we should be equally concerned with things such as what encoding we use to send text with, or whether we use gzip or bzip. It would suck having to worry about all that; good encryption algorithms work regardless of how their plaintext is encoded, and home grown encryption is just another form of encoding.
