By Neil Cook, Chief Security Architect Open-Xchange – Read Part 1 of Neil’s Despatches here
One of my most anticipated sessions was a ‘Cryptographers Panel’ with some of the most respected cryptographers of the digital era. Whitfield Diffie and Martin Hellman (the co-inventors of public key cryptography along with Ralph Merkel), as well as Ronald Rivest and Adi Shamir (The “R” and “S” of the RSA cryptosystem) were all present. Naturally the discussion focused heavily on the recent legal battle between Apple and the FBI. The San Bernardino dispute stems in large part from the invention of public-key cryptography which removed the need for tech companies to automatically rely on ‘master keys’ or system ‘backdoors’ to secure their systems. Whitfield Diffie reminded everyone that these disputes are nothing new; The NSA considered public key cryptography a threat because it ‘democratised’ cryptography.
Another intriguing topic of discussion was quantum computing and the potential threat it poses to traditional crypto systems. Adi Shamir however, was unconcerned: Edward Snowden’s leaked files revealed the extent of the technology within the NSA in 2013 which indicated that we are still many years away from quantum computing being a viable proposition for cracking today’s cryptographic technologies.
Later I attended a highly relevant session entitled ‘Open-Source Poisoning: Can We Trust the Diverse Open-Source Ecosystem’. The main assertion seemed to be that ‘open-source software has vulnerabilities too’. While this wasn’t revelatory to me, one of the presenters did make a comment that I found challenging. They asserted that there is a general assumption that open-source software is ‘secure’, simply by virtue of it being open-source. Needless to say, I found this extremely surprising; among all the benefits of open-source software asserted by its advocates, I’ve never heard that one before.
Open-source software, like all software, can and does contain bugs and vulnerabilities. As with proprietary software development, the quality and security of the code is based on the culture, experience and expertise of the developers. No matter how skilful the developers, vulnerabilities will always exist. Just as important as the quality of the code is the way in which vulnerabilities are reported and handled.
This is why companies that support and create a business from developing open-source software like Open-Xchange, are so important. These companies can provide a single point for reporting, fixing and disclosing vulnerabilities, documenting their public disclosure policy (see http://knowledgebase.open-xchange.com/support/security-patch-release.html for ours). Many open-source companies will also participate in bug-bounty programs, to ‘actively’ find vulnerabilities, and reward the researchers who find them. (Come back soon for news on this front from Open-Xchange!).
The main takeaway of this is that you should consider the same security factors when choosing open-source software as you do when choosing proprietary software, principally: who develops the software? Is there a documented process to report issues or vulnerabilities? How do you find out when new vulnerabilities are discovered and what are the documented policies for disclosure?