Re: Crypto implementation in consumer encryption software

From: BRG (brg_at_nowhere.org)
Date: 10/12/04


Date: Tue, 12 Oct 2004 11:11:35 +0100

David Wagner wrote:

> Gerard Morentzy wrote:
>
>>However, consumers are very limited when looking for software, which
>>**implements** strong cryptography -- that is open-source.
>
> I'm not sure. It seems to me some of the highest-quality cryptographic
> products out there are open source. It seems to me that the pattern
> is that high-quality crypto often comes out first in open source (while
> the competing closed source proprietary are lousy), and then eventually
> the high-quality crypto starts to be make its way into proprietary
> closed-source products, too.
>
> I'm thinking, for instance, of gpg, PGP, SSH, and open SSL/TLS and IPSec
> implementations, to name a few examples. All of these were way ahead of
> their closed-source competitors at the time (with the possible exception
> of SSL). Personally, I'd rate all of these fairly highly.
>
> Personally, I think a bigger issue is usability. The open source systems
> often aren't nearly as friendly to end users as typical commercial
> software products. There are exceptions, of course.

I am inclined to agree. The proportion of the source code in a typical
commercial security product that is comprised of direct cryptographic
and security components is almost always small compared to what is
needed for other aspects of its functionality. And while many technical
people are prepared to put up with poor useability in exchange for good
security, for most end users this choice is the other way round (even if
not consciously so).

In my own experience the interaction between open source developers and
commercial product developers can be effective and, as you suggest, for
many products there is a strong link between the early open source code
and the later commercial code (I use a BSD license rather than a GPL
license for my code quite deliberately in an effort to promote the use
of cryptography in commercial products).

But we are also starting to see open source products that combine good
security perfomance and good functionality.

Firstly, as you suggest, some free open source products and some free
(in the RS sense) products are now being delivered with good security
features and good useability (archivers are a good example here).

And, secondly, a number of commercial companies clearly know that it is
important not only to offer security but also to be seen to offer
security. Hence souce code is being made available for inspection.

In my view the latter is a poor second best when compared with widely
used GPL or free open source code (since the prospects of actual
inspection are low for most products). But it is better than closed
source.

    Brian Gladman



Relevant Pages

  • Re: Distributing user-developed Linux software and licensing issues.
    ... >> capable of secure data transmissions. ... > I'm not a security expert so I'm learning as I go. ... > application can be completely open source and secure ... > key works since access to the source code is ...
    (Fedora)
  • End of all Open Source.
    ... We know that this security issue was discovered on 27th Nov 2002 by ISS ... However, the US Department of Homeland Security prohibited Sendmail Inc., ... Source code, the essence of Open Source ...
    (comp.security.misc)
  • End of all Open Source.
    ... We know that this security issue was discovered on 27th Nov 2002 by ISS ... However, the US Department of Homeland Security prohibited Sendmail Inc., ... Source code, the essence of Open Source ...
    (alt.computer.security)
  • Re: Secure or insecure
    ... >> yet has a better security record. ... > not been scrutinized to the extent that Open Source code has. ... > inherently insecure code, once released to the public, can show its ...
    (alt.os.linux.suse)
  • Re: Whats the story with the "end of XP"?
    ... You can't call yourself an expert in cryptography without a solid familiarity with some of the most used algorithms and implementations - programs like GPG, OpenSSH and OpenSSL are known to be among the most secure solutions precisely because there are so many interested and capable people who have studied their source code. ... There is overwhelming statistical evidence that serious flaws in major open source software projects are fixed quickly - generally far faster than in comparable closed source projects. ... And there are people who feel that anyone can use whatever license they want, but that they personally will only use FOSS. ...
    (comp.arch.embedded)