Comment Re:Open source (Score 1) 88
Easy: use open source libraries.
Yep, like GnuTLS, or Apple's SSL implementation. You know there won't be any bugs in those, or if there are they'll be very quickly fixed and not sit there unnoticed for years.
I remember back in 2008, when the Debian OpenSSL package was found to have a gaping hole in it. I was fascinated at the fact that it had been able to lie their, dormant, until it was discovered and immediately fixed. By rights, the damage should have been widespread.
Back then, I wrote:
My hypothesis – sorry, my speculation is this: People at every stage of the production process and everywhere else in the system trusted that the others were doing their job competently. This includes crackers and others with a vested interest in compromising the code.
So, perversely, yeah: The fact that the GnuTLS hole remained unnoticed for yonks is -weirdly- an argument for using open source libraries. Notwithstanding the fact that the vulnerability remained unpatched for years, it appears to have remained pretty much unexploited for the same period of time.
When processes are perceived to be robust, by black hat and white hat alike, then the mere presence of trust in the system makes them more trust-able. (I won't say trustworthy, because hindsight shows us that they're not.)