Search Mailing List Archives
[liberationtech] Silent Circle Dangerous to Cryptography Software Development
dancol at dancol.org
Thu Oct 11 11:54:37 PDT 2012
On 10/11/2012 10:54 AM, Moxie Marlinspike wrote:
> The problem is that if you have an enterprise focus, you can't sell a
> service, you have to sell software. Serviced-based models have
> certainly made inroads into the enterprise, but they still want to host
> security-focused stuff themselves (even if it's encrypted end-to-end).
> It's hard to sell an expensive site license for your software if the
> software is freely available.
> In general, I'm not actually convinced that OSS is a necessity for
> secure communication tools. Protocols can generally be verified on the
> wire, and unfortunately, the number of people who are going to be able
> to look at software-based cryptography and find vulnerabilities is very
> small -- and two of them put their names behind Silent Circle.
I feel like there are two ways to interpret your argument. Either we're talking
about a protocol with a thorough public specification, which would allow third
parties to verify its proper implementation, or we're talking about a protocol
examined only be a few trusted researchers, presumably under some sort of NDA.
In the former case, FOSS tools will be able to clone and mimic any sufficiently
popular product, eroding the market advantage of a closed-source development
model (although perhaps not for a while); in the latter case, users must base
their confidence and sense of safety on the word of a few people who, however
distinguished they may be, have the same weaknesses as the rest of us.
While source code availability and verifiability (can I compile it and get the
same binaries?) may not be necessity for secure communication tools, I suspect
it's necessary in order for a tool to gain a reputation for being secure, at
least among those in the know.
More information about the liberationtech