Gnu PG is more Safe ?

[Peter Gutmann]

Anthony Papillion <papillion at gmail.com> writes:

>Because GnuPG is open source, it's been extensively peer reviewed and found
>safe and secure.  

That should actually say "because GnuPG is open source, people assume that
someone else has extensively peer reviewed it and therefore assume that it's
safe and secure".  For example there was a long-standing RNG bug that was very
obvious if you looked at the code, but was only discovered by chance when
someone who was interested in the RNG happend to read through the code and
thought "hmm, surely that can't be right".  Having code that's open source
doesn't help at all if no-one looks at it.

>One of the best ways to learn about tech topics is reading RFC's. The entire
>way SSL/TLS operates is detailed in an RFC. Read I'd and you will be
>infinately more informed.

Argh, no.  The best way to confuse someone is to get them to read an RFC. Find
a good book on the topic, e.g. for SSL/TLS there's Eric Rescorla's "SSL and
TLS: Designing and Building Secure Systems".  Before that, read "Network
Security: Private Communication in a Public World" by Kaufman et al.

Peter.