Are they? If you want an answer to the question “is this secure?” then not being able to examine the code should obviously disqualify it.
Are they? If you want an answer to the question “is this secure?” then not being able to examine the code should obviously disqualify it.
sudoshakes@reddthat.com 11 months ago
Sure it does, but that doesn’t make it bad.
Open source code is not the only solution to secure communication.
You can be extremely secure on closed source tools as well.
If they found specific issues with Signal aside from not being allowed to freely inspect their code base, I suspect we would be hearing about it. Instead I don’t see specific security failings just hat it didn’t make the measure for their security software audit.
As an example of something that is closed source and trusted:
The software used to load data and debug the F-35 fighter jet.
Pretty big problem for 16 countries if that isn’t secure… closed source. So much s you can’t even run tests against the device for loading data to the jet live. It’s a problem to sort out, but it’s an example of where highly important communication protocols are not open source and trusted by the governments of many countries.
If their particular standard here was open source, ok, but they didn’t do anything to assure the version they inspected would be the only version used. In fact every release from that basement pair of programmers could inadvertently have a flaw in it, which this committee would not be reviewing in the code base for its members of parliament.
lemmyvore@feddit.nl 11 months ago
Lol at military stuff being secure. Most often it’s not, it’s just hidden. There was an Ars Technica article about the “secure” devices used at military bases being full of holes for example: arstechnica.com/…/next-gen-osdp-was-supposed-to-m…
When code is hidden all you know for sure is that you don’t know anything about it. You certainly can’t say it’s secure.
If a piece of code or a system is really secure then it does not care if the code is open because the security lays in the quality of its algorithms and the strength of the keys.
Tibert@jlai.lu 11 months ago
Well let’s give some counter examples in the softwares I mentioned :
WhatsApp closed : Owned by Facebook. Well Facebook had multiple data leaks, privacy violations and nothing substantial was done about it. Definitely not trustable (also zero days are getting sold on the black market for WhatsApp (techcrunch.com/…/zero-days-for-hacking-whatsapp-a… ).
Telegram closed : not end to end encrypted. Russian app. Not trustable.
Signal open (servers I don’t know): well this one is e to e encrypted. Open source, maybe could be trusted. Seems to have passed some security audits (community.signalusers.org/t/…/13243), tho it’s based in the US and uses servers, maybe the US may have super computers capable of decrypting such communications. However is signal has switched their encryption to quantum computer resistance it may be too hard even for a state actor.
Olvid (open, servers I don’t know) : is French and why not use a local messaging app witch also is very secure and open source.
Notice how closed source is untrusted here. The economic activity of the tool changes how trustable it is. Military équipement has a huge and strict budget, it has to be secure.
Communication apps are user first. So they do what they can get away with, and that is very true for Facebook.