Viewing a single comment thread. View all comments

kcabnazil t1_j9xf5jy wrote

I hope noone is downvoting this because they think it is inaccurate.

It is, however, missing the point.

Being open source means you can show to have security objectively, not through obscurity. It means others can not only analyze it for weaknesses, but contribute resolution to those weaknesses as well.

Whether or not that open source code is what's really used to build an application... is another matter. I wonder if that can be objectively proved for Signal. It definitely can't be for others ;)


drawkbox t1_j9xu5tw wrote

Agreed, security through obscurity is always a bad idea. Zero trust is the only way and less third parties helps you minimize the attack vectors.

My comment here addresses some of these points

While OSS is has code to review openly, that is a good company level trust, but that also is a potential weak area where people will overly trust and let in a bad dependency that not even the company knows got compromised. It can also let you target dependencies that the code uses without even needing to steal the code. You can trust that the company that open sources will make sure their code looks good and has less holes possibly, but not always.

It has happened in OSS for decades now to the largest toolkits with the most eyes and broadest use, because that is the best way to get into systems now, via the devs who are the weak link sadly. As a dev I am blown away at the lack of awareness of devs and these issues.