BLU Discuss list archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] Good and Bad Crypto
- Subject: [Discuss] Good and Bad Crypto
- From: richard.pieri at gmail.com (Richard Pieri)
- Date: Wed, 23 Apr 2014 14:34:00 -0400
- In-reply-to: <20140423174046.GP3247@dragontoe.org>
- References: <20140423174046.GP3247@dragontoe.org>
Derek Martin wrote: > Attackers have many other means to effect attacks if they are > motivated...and they are. Closed source only hinders those who are > unwilling to commit crimes and/or who lack the resources to achieve > their goals. Black hats are not bound by the former, and there are > plenty of criminals who are not bound by the latter. Gee, I seem to recall writing something to the effect that hiding code as a security mechanism is laughable. > The ONLY defense the rest of us have against this is transparency, > which puts the white hats and black hats on equal footing. I never > said it was a perfect defense; it is not. But it's all you have. Actually, no, it's not... > Closed source takes even that away, leaving you with nothing other > than blind trust, which is completely worthless in this context, since > we KNOW that your vendor (a) WILL get it wrong, at least sometimes, > and (b) IS motivated by profit, and (c) MAY NOT be perfectly > forthcoming about its (other) motives, methods, and failures (and > almost certainly will not be, to at least some extent). ... because every major closed source vendor in the US uses the same test labs to test and certify their code that open source vendors in the US use to test and certify their code. That's right. Microsoft and Apple and Oracle have their code tested and certified by the same labs that Red Hat and SuSE and the OpenSSL project use. The world doesn't trust OpenSSL because it's open source. The world trusts OpenSSL because the cryptographic module has a FIPS 140-2 certificate. That certificate happens to be the same level certificate that Microsoft has for their cryptographic module. The testing standards are the same. The testing rules are the same. The testing procedures are the same. The certification and assurance levels are the same. Are the two modules equally trustworthy? Yes, they are, because they both passed the same certification process. -- Rich P.
- Follow-Ups:
- [Discuss] Good and Bad Crypto
- From: smallm at panix.com (Mike Small)
- [Discuss] Good and Bad Crypto
- References:
- [Discuss] Good and Bad Crypto
- From: invalid at pizzashack.org (Derek Martin)
- [Discuss] Good and Bad Crypto
- Prev by Date: [Discuss] Good and Bad Crypto
- Next by Date: [Discuss] Good and Bad Crypto
- Previous by thread: [Discuss] Good and Bad Crypto
- Next by thread: [Discuss] Good and Bad Crypto
- Index(es):