Open vs. closed-source from a security-perspective..
Lately I’ve seen this topic up on the paper several times, in forums, mailinglists and on blogs. This weeks column at
An security-implementation is only as strong as it’s weekest point. Might sound like a klich� but it’s more like a fact. It’s argued wether a closed-source security-implementation in any way can claim to be secure, when the implementation it self cannot be reviewed. If we take the VoIP-protocol/program Skype as an example. Skype’s ”tecnical FAQ” states that: Skype uses 1536 to 2048 bit RSA to negotiate symmetric AES keys.. This actually sounds fantastic, they are using the latest crypto-technology, it must be the safest solution ever. However, we have no way of knowing how the ”negotiation” is done, and how keys are stored. The implementation itself can break the security that AES and RSA offers. Skype is not alone with saying that they ”offer full privacy and secrecy”, but how can we know that the implementation is secure? If we instead look at Jabber, which is a open-source IM-protocol (Instant Message Protocol), the implementation of SSL (Secure Sockets Layer) can be fully reviewed and therefor offers the ability to full security. That is, if the implementation turns out to be secure.
Some say that without the ability to review the implementation of cryptography, security cannot be offered at all. It’s then just based on trust. Trust of the implementers, like the folks behind Skype. I stand by this argument, but am also aware of the risks of being to ”paranoid” when thinking this way. Because, when thinking like this, practicly no propitery software is secure. I, some time ago, saw a comparison with cars and its security-implementations (like airbags and abs-brakes). These are reviewed by undependent organisations, and it’s done like this because it isn’t enough that the car-manufacturers states that: ”we uses the latest technology and material on our airbags”.The statement itself doesn’t guarantee any security. The airbag could in fact kill you, if implemented wrongly. Why should there be any difference in digital security?
The article I mentioned above (securityfocus’s this weeks column), discusses security-implementations in hardware. Take an WAP (Wireless Access Point) as an example. Many of them offers WEP, WPA or and Mac-adress-filtering. Sounds good (or, no it doesn’t!), but we know nothing of how it’s implemented in the Acess-Point. And we have no possibility what so ever to review it. Will there be a trend in the future where companys like 3com and Cisco will release their firmware as open-source? Ironicly enough, Cisco’s security is most certanly more reviewed than other companys firmware. (Because of the IOS-source-code where stolen last year). Funny enough, I don’t know wether this talks fore or against Cisco :)
Couldn’t companys working with closed source, realease the code of their implementation free. Or at least have a independent organisation reviewing it? If the implementation itself is their ”product” (like sofware offering encryption of files and partitions), this can be troublesome. However, for now, if someone asks me, ”is this product secure”, I’ll think again before answering. AES and Twofish in all their glory, but without any knowledge of their implementation, they guarantee nothing..