Gnu PG is more Safe ?
Anthony Papillion
papillion at gmail.com
Tue Jul 23 20:20:40 PDT 2013
On Jul 23, 2013, at 10:08 PM, Peter Gutmann
<pgut001 at cs.auckland.ac.nz> wrote:
> Anthony Papillion <papillion at gmail.com> writes:
>
>> Because GnuPG is open source, it's been extensively peer reviewed
>> and found
>> safe and secure.
>
> That should actually say "because GnuPG is open source, people
> assume that
> someone else has extensively peer reviewed it and therefore assume
> that it's
> safe and secure". For example there was a long-standing RNG bug
> that was very
> obvious if you looked at the code, but was only discovered by chance
> when
> someone who was interested in the RNG happend to read through the
> code and
> thought "hmm, surely that can't be right". Having code that's open
> source
> doesn't help at all if no-one looks at it.
True. So perhaps we can say it is "less likely" to have glaring bugs
than it's proprietary counterparts. Sure, bugs will be overlooked or
outright missed in any project of size. But with more eyes comes a
better chance of bugs and backdiors being caught.
>> One of the best ways to learn about tech topics is reading RFC's.
>> The entire
>> way SSL/TLS operates is detailed in an RFC. Read I'd and you will be
>> infinately more informed.
>
> Argh, no. The best way to confuse someone is to get them to read an
> RFC. Find
> a good book on the topic, e.g. for SSL/TLS there's Eric Rescorla's
> "SSL and
> TLS: Designing and Building Secure Systems". Before that, read
> "Network
> Security: Private Communication in a Public World" by Kaufman et al.
It depends on the RFC and how it's written. I've read many RFC's that
were very informative and easy to understand. A well written book on
the topic is always better, but you can almost always find what you
need in the RFC. It may not be optimal but it's not horrible.
Anthony
More information about the cypherpunks
mailing list