[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] Good and Bad Crypto
- Subject: [Discuss] Good and Bad Crypto
- From: richard.pieri at gmail.com (Richard Pieri)
- Date: Tue, 22 Apr 2014 10:42:05 -0400
- In-reply-to: <5355DA7B.firstname.lastname@example.org>
- References: <14b5446b65314ece8402914040d7efb6@CO2PR04MB684.namprd04.prod.outlook.com> <5355DA7B.email@example.com>
Tom Metro wrote: > Steve Gibson discusses the timeline of the Heartbleed discovery. Google > researchers, presumably examining the code, found the problem several > weeks prior, and submitted patches to OpenSSL and fixed their own servers. I choose not to make such assumptions. Google's methodology has not to my knowledge been publicized. > (Sometimes I wonder why you subscribe to this list. Having a skeptical > view of things is good, but you seem to take glee in perceived failings > of the open source community, which tends to raise the questions of why I use tools that work. Some of them are open. Some not. I'm not going to heap praise on something that doesn't work, or works poorly, simply because it's open source. And I'm not afraid to speak my mind about these things. > Source code analysis has the potential to find these, if the code is > analyzed. Back-box testing will find them only if you are very lucky. This is laughably false. If it were even the least bit true then Microsoft Windows would be the most secure operating system on Earth because the code isn't available for scrutiny. We all know that hiding the code isn't any assurance of security. What you need to get through your head is that displaying the code isn't any assurance of security, either. Seeing the source code means nothing if you don't understand it and the algorithms it implements. This works both ways: you don't need to understand the intricacies of a cipher or PRNG in order to attack it. -- Rich P.