Gnu PG is more Safe ?

[Anthony Papillion]

On Jul 23, 2013, at 10:08 PM, Peter Gutmann  
<pgut001 at cs.auckland.ac.nz> wrote:

> Anthony Papillion <papillion at gmail.com> writes:
>
>> Because GnuPG is open source, it's been extensively peer reviewed  
>> and found
>> safe and secure.
>
> That should actually say "because GnuPG is open source, people  
> assume that
> someone else has extensively peer reviewed it and therefore assume  
> that it's
> safe and secure".  For example there was a long-standing RNG bug  
> that was very
> obvious if you looked at the code, but was only discovered by chance  
> when
> someone who was interested in the RNG happend to read through the  
> code and
> thought "hmm, surely that can't be right".  Having code that's open  
> source
> doesn't help at all if no-one looks at it.

True. So perhaps we can say it is "less likely" to have glaring bugs  
than it's proprietary counterparts. Sure, bugs will be overlooked or  
outright missed in any project of size. But with more eyes comes a  
better chance of bugs and backdiors being caught.

>> One of the best ways to learn about tech topics is reading RFC's.  
>> The entire
>> way SSL/TLS operates is detailed in an RFC. Read I'd and you will be
>> infinately more informed.
>
> Argh, no.  The best way to confuse someone is to get them to read an  
> RFC. Find
> a good book on the topic, e.g. for SSL/TLS there's Eric Rescorla's  
> "SSL and
> TLS: Designing and Building Secure Systems".  Before that, read  
> "Network
> Security: Private Communication in a Public World" by Kaufman et al.

It depends on the RFC and how it's written. I've read many RFC's that  
were very informative and easy to understand. A well written book on  
the topic is always better, but you can almost always find what you  
need in the RFC. It may not be optimal but it's not horrible.

Anthony