Monday, July 28, 2014

Cliché: open-source is secure

Some in cybersec keep claiming that open-source is inherently more secure or trustworthy than closed-source. This is demonstrably false.

Firstly, there is the problem of usability. Unusable crypto isn't a valid option for most users. Most would rather just not communicate at all, or risk going to jail, rather than deal with the typical dependency hell of trying to get open-source to compile. Moreover, open-source apps are notoriously user-hostile, which is why the Linux desktop still hasn't made headway against Windows or Macintosh. The reason is that developers blame users for being stupid for not appreciating how easy their apps are, whereas Microsoft and Apple spend $billions in usability studies actually listening to users. Desktops like Ubuntu are pretty good -- but only when they exactly copy Windows/Macintosh. Ubuntu still doesn't invest in the usability studies that Microsoft/Apple do.

The second problem is deterministic builds. If I want to install an app on my iPhone or Android, the only usable way is through their app stores. This means downloading the binary, not the source. Without deterministic builds, there is no way to verify the downloaded binary matches the public source. The binary may, in fact, be compiled from different source containing a backdoor. This means a malicious company (or an FBI NSL letter) can backdoor open-source binaries as easily as closed-source binaries.

The third problem is code-review. People trust open-source because they can see for themselves if it has any bugs. Or, if not themselves, they have faith that others are looking at the code ("many eyes makes bugs shallow"). Yet, this rarely happens. We repeatedly see bugs giving backdoor access ('vulns') that remain undetected in open-source projects for years, such as the OpenSSL Heartbleed bug. The simple fact is that people aren't looking at open-source. Those qualified to review code would rather be writing their own code. The opposite is true for closed-source, where they pay people to review code. While engineers won't review code for fame/glory, they will for money. Given two products, one open and the other closed, it's impossible to guess which has had more "eyes" looking at the source -- in many case, it's the closed-source that has been better reviewed.

What's funny about this open-source bigotry is that it leads to very bad solutions. A lot of people I know use the libpurple open-source library and the server (run by CCC hacking club). People have reviewed the libpurple source and have found it extremely buggy, and chat apps don't pin SSL certificates, meaning any SSL encryption to the CCC server can easily be intercepted. In other words, the open-source alternative is known to be incredibly insecure, yet people still use it, because "everyone knows" that open-source is more secure than closed-source.

Wickr and SilentCircle are two secure messaging/phone apps that I use, for the simple fact that they work both on Android and iPhone, and both are easy to use. I've read their crypto algorithms, so I have some assurance that they are doing things right. SilentCircle has open-sourced part of their code, which looks horrible, so it's probable they have some 0day lurking in there somewhere, but it's really no worse than equivalent code. I do know that both companies have spent considerable resources on code review, so I know at least as many "eyes" have reviewed their code as open-source. Even if they showed me their source, I'm not going to read it all -- I've got more important things to do, like write my own source.

Thus, I see no benefit to open-source in this case. Except for Cryptocat, all the open-source messaging apps I've used have been buggy and hard to use. But, you can easily change my mind: just demonstrate an open-source app where more eyes have reviewed the code, or a project that has deterministic builds, or a project that is easier to use, or some other measurable benefit.

Of course, I write this as if the argument was about the benefits of open-source. We all know this doesn't matter. As the EFF teaches us, it's not about benefits, but which is ideologically pure; that open-source is inherently more ethical than closed-source.


Yoda said...

I totally agree with you!

Unknown said...

Points being made in the post are highly debatable.
I don't disagree with saying that open-source is not more secure than closed source. In fact, it's ignorant at best to say otherwise. However, the opposite is also true: closed-source is not more secure than open-source.
In fact, neither approach inherently provides any degree of better security.

The only place where this would be debatable is in the creation and use of cryptographic algorithms, which is however better left in the hands of math experts and on the pages of peer-reviewed journals: history has shown that algorithms that base their strength on secrecy are often found to be full of holes.

That said, I find that the first point made in the blog is simply wrong. Internet RUNS on open-source. A ludicrous majority of servers are Apache servers on Linux systems, which often implement OpenSSL for secure communications. For clients, Chrome and Mozilla form about 85% of the currently used browsers, and both are open-source.
I could go one but to cut it short: either open-source *CAN* be usable (like closed-source can be terrible from the usability standpoint) or usability isn't such an issue. Personally I think the first one is true.

I'm not sure what the author is getting at with the second point, however he seems to hint that open-source equates to "you have to compile it yourself". That is of course wrong, as there are official binary distributions of pretty much all major open-source software projects.

The third point is quite true in fact, however like for the premise itself, it's not true that open-source is necessarily reviewed more than closed source. However the opposite is not true either. Apache server for example definitely has more people looking at its code than any closed-source alternative, I'm willing to bet. OpenSSL is a famous example and should be remembered as a cautionary tale more than anything else.

ayeomans said...

Whatever your prejudices, Open Source software is more sustainable, especially in the long term.
If it breaks, you can fix it yourself, or pay someone to do so.
If closed source breaks, you are pretty stuck. You have to wait for the vendor to fix, if they are still in business and willing, or do a total migration to an alternative. Or give up.
Either approach can be valid business; just make sure you really understand the supply chain and factor that into decisions.