[Discuss] Good and Bad Crypto

[richard.pieri at gmail.com (Richard Pieri)]

Tom Metro wrote:
> Steve Gibson discusses the timeline of the Heartbleed discovery. Google
> researchers, presumably examining the code, found the problem several
> weeks prior, and submitted patches to OpenSSL and fixed their own servers.

I choose not to make such assumptions. Google's methodology has not to 
my knowledge been publicized.


> (Sometimes I wonder why you subscribe to this list. Having a skeptical
> view of things is good, but you seem to take glee in perceived failings
> of the open source community, which tends to raise the questions of why

I use tools that work. Some of them are open. Some not. I'm not going to 
heap praise on something that doesn't work, or works poorly, simply 
because it's open source. And I'm not afraid to speak my mind about 
these things.


> Source code analysis has the potential to find these, if the code is
> analyzed. Back-box testing will find them only if you are very lucky.

This is laughably false. If it were even the least bit true then 
Microsoft Windows would be the most secure operating system on Earth 
because the code isn't available for scrutiny.

We all know that hiding the code isn't any assurance of security. What 
you need to get through your head is that displaying the code isn't any 
assurance of security, either. Seeing the source code means nothing if 
you don't understand it and the algorithms it implements. This works 
both ways: you don't need to understand the intricacies of a cipher or 
PRNG in order to attack it.

-- 
Rich P.