On Jul 23, 2013, at 10:08 PM, Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote:
Anthony Papillion <papillion@gmail.com> writes:
Because GnuPG is open source, it's been extensively peer reviewed and found safe and secure.
That should actually say "because GnuPG is open source, people assume that someone else has extensively peer reviewed it and therefore assume that it's safe and secure". For example there was a long-standing RNG bug that was very obvious if you looked at the code, but was only discovered by chance when someone who was interested in the RNG happend to read through the code and thought "hmm, surely that can't be right". Having code that's open source doesn't help at all if no-one looks at it.
True. So perhaps we can say it is "less likely" to have glaring bugs than it's proprietary counterparts. Sure, bugs will be overlooked or outright missed in any project of size. But with more eyes comes a better chance of bugs and backdiors being caught.
One of the best ways to learn about tech topics is reading RFC's. The entire way SSL/TLS operates is detailed in an RFC. Read I'd and you will be infinately more informed.
Argh, no. The best way to confuse someone is to get them to read an RFC. Find a good book on the topic, e.g. for SSL/TLS there's Eric Rescorla's "SSL and TLS: Designing and Building Secure Systems". Before that, read "Network Security: Private Communication in a Public World" by Kaufman et al.
It depends on the RFC and how it's written. I've read many RFC's that were very informative and easy to understand. A well written book on the topic is always better, but you can almost always find what you need in the RFC. It may not be optimal but it's not horrible. Anthony