On Wed, Oct 22, 2014 at 1:49 PM, Martti Kühne <mysatyre_AT_gmail.com> wrote:
>> Who are we talking about? *I* use free software. Despite that, I can't
>> fully trust what my computer is doing, because I can't verify the
>> hardware the software runs on isn't doing something malicious. I also
>> can't verify that my hardware isn't emitting signals that some
>> malicious person is picking up via some sort of device
>> [https://www.usenix.org/legacy/events/sec09/tech/full_papers/vuagnoux.pdf
>> and others], nor can I easily verify that a TLS key that I'm
>> protecting my connection with isn't extremely weak, and in otherwords,
>> my communication is actually completely insecure. Nor, can I assume,
>> in this day and age, that there aren't a crap ton of other errors in
>> the TLS protocol, or bugs (keep in mind this is in free software
>> implementations) in the implementations that make me no more unsafe
>> than running blobs.
>>
>
> Interesting. You're making it sound as if your TLS implementation
> would be any safer if it wasn't free software. How safe do you want to
> be, and for that matter, how safe do you *need* to be. Security is an
> economic thought, after all.
Perhaps you misinterpretted. I'm pointing out that despite the ability
to audit the free implementations of TLS, we still have bugs which are
earth shattering and compromise us. I'm arguing that while we enjoy
the fact that we can audit free software and it gives us piece of
mind, it does not make us any safer than using blobs, in reality.
Received on Wed Oct 22 2014 - 20:05:03 CEST