[Discuss] Good and Bad Crypto

[Richard Pieri]

Derek Martin wrote:
> Attackers have many other means to effect attacks if they are
> motivated...and they are.  Closed source only hinders those who are
> unwilling to commit crimes and/or who lack the resources to achieve
> their goals.  Black hats are not bound by the former, and there are
> plenty of criminals who are not bound by the latter.

Gee, I seem to recall writing something to the effect that hiding code 
as a security mechanism is laughable.


> The ONLY defense the rest of us have against this is transparency,
> which puts the white hats and black hats on equal footing.  I never
> said it was a perfect defense; it is not.  But it's all you have.

Actually, no, it's not...

> Closed source takes even that away, leaving you with nothing other
> than blind trust, which is completely worthless in this context, since
> we KNOW that your vendor (a) WILL get it wrong, at least sometimes,
> and (b) IS motivated by profit, and (c) MAY NOT be perfectly
> forthcoming about its (other) motives, methods, and failures (and
> almost certainly will not be, to at least some extent).

... because every major closed source vendor in the US uses the same 
test labs to test and certify their code that open source vendors in the 
US use to test and certify their code. That's right. Microsoft and Apple 
and Oracle have their code tested and certified by the same labs that 
Red Hat and SuSE and the OpenSSL project use.

The world doesn't trust OpenSSL because it's open source. The world 
trusts OpenSSL because the cryptographic module has a FIPS 140-2 
certificate. That certificate happens to be the same level certificate 
that Microsoft has for their cryptographic module. The testing standards 
are the same. The testing rules are the same. The testing procedures are 
the same. The certification and assurance levels are the same. Are the 
two modules equally trustworthy? Yes, they are, because they both passed 
the same certification process.

-- 
Rich P.