(This article was also published on the HissenIT Blog.)

Recently, I received the question if it would not be dangerous, when the source code for an encryption software is publicly available. An answer...

As a computer scientist with several years of professional experience in IT security and especially in the field of cryptography, you take many facts for granted which are sometimes anything but understandable for the average IT user. The field of IT security requires a lot of in-depth knowledge and practical experience. Even the most experienced IT specialists are sometimes overwhelmed with IT security.

Danger because it is open-source?

When I received the question if it would not be “dangerous” if the source code for encryption software is publicly available (open-source), I was very surprised at first. Two thoughts were the background for the question:

If the source code is open, would it not be much easier to carry out an unauthorized decryption, e.g., to develop a “software attack” against the encryption? If the source code is open, would it not be much easier to add malicious code in the software?

For a normal end user obviously reasonable thoughts.

Security Disclosure

In response to the first aspect:

“Secret” encryption algorithms do basically not exist in our everyday life. When we talk about secret services or, e.g., the NSA that may perhaps be different (who knows), but any encryption technique that we use in our everyday life is open, publicly discussed by professionals and generally accepted. The security does not depend on the secrecy. This is a basic principle of IT security. Whether HTTPS (TLS/SSL), e-mail encryption (S/MIME, PGP) or SSH (Secure Shell): All the algorithms used in these protocols, such as RSA or AES, are considered to be secure.

There were always gaps, for example in the TLS/SSL protocol family or individual implementations, but these would have been discovered sooner or later even with confidential protocols and implementations. Furthermore, the errors were not fundamental. Bug fixes or recommendations for action were always quickly available.

The goal of open-source products is, in turn, to ensure trust. Many people are – for instance because of the NSA revelations of the recent years – worried about specific software backdoors. The idea that a particular software, which comes into contact with sensitive data, is the target of such action, is more than justified. Moreover, an encryption software is usually by definition used for sensitive data. So, what could be a better target?

Of course, for commercial manufacturers of security software the main interest is to protect the intellectual property of the corresponding company. An understandable interest. In this case, trust can be at least partially enabled through certifications from recognized bodies that were able to verify the source code. Incidentally, an approach that smaller open-source projects are usually lacking: Just because the source code is public or the software has many users, this does not mean the software would do everything right. Take TrueCrypt as an example. For many years, it was one of the most popular disk encryption software and from the beginning it was open-source. It took nearly ten years until it came to the first audit – financed through a crowd-funding project and not even fully completed today. An essential first step of this audit was to check and demonstrate that the published binaries were built from the published source code. Because: What counts the proof that the source code is secure when the software for download does not originate from this source. Of course, this cannot be obvious for the average user.

Hackers do not need source code!

In response to the second aspect:

If you follow the world of IT news and look at the reports about hacking incidents, you will quickly discover that hackers do not need the source code to hack systems, to manipulate software, or foist Trojans on users. This is obviously achieved in open- and closed-source software alike. The explanation is simple: Because good hackers are the technically most gifted IT professionals. They analyze software or entire systems with tools and expertise in a way that they do not require any source code. If needed, they – to the extent necessary – restore parts of the source from the binary.

However, open-source does not mean that everyone who wishes may perform arbitrary changes to the code of a program or project. As an example consider Linux, the server operating system that is used most probably the most, also in commercial contexts. Despite being open-source, the development is carried out systematically and highly controlled.

Of course, for the end user the basic rule applies to install only software that comes from trusted sources or sites. This includes not only relevant download portals (of which not all are trustworthy) but especially the original sites of the manufacturers.

Conclusion

Even if you are facing open-source software critically, one must adhere that only because a software is open-source, this does not create security vulnerabilities but on the contrary can provide trust and control.

For the critics of open-source software regarding security, it has to be said: If you are for instance doing online shopping or online banking / home banking, you – at a very high probability – are already using more than just one open-source component, such as your browser, the Web server of the bank or the online store's operating system.

About the author

Computer Scientist Frank Hissen is the owner of HissenIT, a small business in Germany focusing on IT security software development and consulting. Frank has over 10 years experience in various positions as security expert in IT projects. He mainly worked for large businesses but also medium-sized companies.