hultberg.org: LinkLog

Excellent article on the security issues of Open Source development

This is a response to another article, questioning the security of Open Source.

Too often people assume that secrecy equals security. Nothing could be further from the truth. Today's strong cryptography is based on the assumption that an "adversary" will know both that something is encrypted, and what the encryption scheme is. The notion that hiding the means of encryption will somehow make the data in question more secure is a notion that has been obsolete since World War II. Strong crypto assumes, rather, that despite the fact that the encryption algorithm is a matter of public knowledge, that the data in question will remain encrypted and secure. Open Source software is based on a similar notion of security. Hiding source code is a bad way to assume you'll achieve security, because even a powerful and highly proprietary company can't guarantee that source code won't leak out. Instead, security should be based on a worst-case scenario: assume your "adversary" has access to the source code. Starting from worst-case assumptions is just plain common sense. Any other security plan is simply madness.

I for one rather have a digital society built on code open to scrutiny for all. Especially when it comes to areas such as online voting.

ONLamp.com: Is Open Source Secure? - Feb. 13, 2004

Random fortune brought to you by www.fortunes.nu:

:: ()