OX Despatches: RSA 2016 – Cryptography & Open-Source Security

Mar 3, 2016

By Neil Cook, Chief Security Architect Open-Xchange – Read Part 1 of Neil’s Despatches here

One of my most anticipated sessions was a ‘Cryptographers Panel’ with some of the most respected cryptographers of the digital era. Whitfield Diffie and Martin Hellman (the co-inventors of public key cryptography along with Ralph Merkel), as well as Ronald Rivest and Adi Shamir (The “R” and “S” of the RSA cryptosystem) were all present. Naturally the discussion focused heavily on the recent legal battle between Apple and the FBI. The San Bernardino dispute stems in large part from the invention of public-key cryptography which removed the need for tech companies to automatically rely on ‘master keys’ or system ‘backdoors’ to secure their systems. Whitfield Diffie reminded everyone that these disputes are nothing new; The NSA considered public key cryptography a threat because it ‘democratised’ cryptography.

Another intriguing topic of discussion was quantum computing and the potential threat it poses to traditional crypto systems. Adi Shamir however, was unconcerned: Edward Snowden’s leaked files revealed the extent of the technology within the NSA in 2013 which indicated that we are still many years away from quantum computing being a viable proposition for cracking today’s cryptographic technologies.

Later I attended a highly relevant session entitled ‘Open-Source Poisoning: Can We Trust the Diverse Open-Source Ecosystem’. The main assertion seemed to be that ‘open-source software has vulnerabilities too’. While this wasn’t revelatory to me, one of the presenters did make a comment that I found challenging. They asserted that there is a general assumption that open-source software is ‘secure’, simply by virtue of it being open-source. Needless to say, I found this extremely surprising; among all the benefits of open-source software asserted by its advocates, I’ve never heard that one before.

Open-source software, like all software, can and does contain bugs and vulnerabilities. As with proprietary software development, the quality and security of the code is based on the culture, experience and expertise of the developers. No matter how skilful the developers, vulnerabilities will always exist. Just as important as the quality of the code is the way in which vulnerabilities are reported and handled.

This is why companies that support and create a business from developing open-source software like Open-Xchange, are so important. These companies can provide a single point for reporting, fixing and disclosing vulnerabilities, documenting their public disclosure policy (see http://knowledgebase.open-xchange.com/support/security-patch-release.html for ours). Many open-source companies will also participate in bug-bounty programs, to ‘actively’ find vulnerabilities, and reward the researchers who find them. (Come back soon for news on this front from Open-Xchange!).

The main takeaway of this is that you should consider the same security factors when choosing open-source software as you do when choosing proprietary software, principally: who develops the software? Is there a documented process to report issues or vulnerabilities? How do you find out when new vulnerabilities are discovered and what are the documented policies for disclosure?

About the author

Neil Cook

Neil Cook

PowerDNS Head of Product

Related Articles

From Latin America to the Far East

The summer of TES in 2018 goes all around the planet – and for a project that was born in the heart of Europe, this is a...

Vittorio Bertola Aug 28, 2018

IoT security is not A-OK

Everyone knows that the internet can be a dangerous place. Phishing continues to increase in volume and effectiveness,...

Neil Cook Aug 9, 2018

ID4me – a global open standard for every user’s digital Identity

Many users are tired of remembering hundreds of usernames and passwords. Only a short percentage of users is changing their...

The Editorial Team Jul 25, 2018

Microsoft’s on / off love affair with open source

Microsoft’s acquisition of GitHub could go one of two ways. On one hand, it’s great that Microsoft is investing heavily in...

Rafael Laguna Jun 7, 2018