Like a privacy based fully open source browser. Wouldnt it be more hackable because every one know the script and is a glopal privacy based gpay alternative possible ? What about targeted hacking is someone using closed source application more better off than someone with ooen source ?

  • NaibofTabr@infosec.pub
    link
    fedilink
    English
    arrow-up
    14
    ·
    10 months ago

    This is where most of the problems in open source come from. Just because anyone can look at the source code doesn’t mean that anyone actually is. It frequently seems that everyone just assumes that popular/common libraries have been reviewed and vetted, but never bother to check for themselves unless they happen to work in application security. It’s like Douglas Adams’ SEP field. And many common modules became common because they were convenient and/or easy to use, not because they were rigorously developed and tested with strong security principles.

    Of course expecting every user to inspect the source of every piece of software they use, every time it gets an update, is utterly ridiculous. No one would ever actually use anything.

    With closed source, the problem is that you can’t see the code so you need to be sure that you trust the developer. With open source, the problem is spaghetti code (and worse, spaghetti dependencies) so again you need to be sure that you trust the developer(s).

      • NaibofTabr@infosec.pub
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        1
        ·
        10 months ago

        Either way, the issue is trust. With popular/widely used open source projects, you can at least democratize trust to some extent (many people have worked on this, and many more have used it). Smaller projects are more risky. This is true for proprietary software also - generally, Microsoft is putting effort into fixing vulnerabilities in their products, but if you buy specialty software from a small business with a registered address in Ireland but actually based out of Moldova, they will probably have different quality standards.

        Whether open or closed, you should try to understand the incentive model of the developers. Is it paid software? Is there a license agreement? Is it ad supported? Or donation supported? Is it a volunteer project? Is it collecting data about its users?

        Some open source software is developed by companies but distributed freely. Bitwarden is a great example of this. It’s probably the best password manager out there right now. It’s free for individual use and for self hosting. The company makes money by selling implementation and support services to businesses. This model has a lot of benefits, and the code projects that come out of such companies are generally very stable and trustworthy.

        The trust issue is slightly different in form between open and closed source, but ultimately it’s the same issue. If the security of what you’re doing matters, then you need to know who you’re working with and whether their interests align with yours.

        • taladar@sh.itjust.works
          link
          fedilink
          arrow-up
          2
          ·
          10 months ago

          Smaller projects are more risky. This is true for proprietary software also - generally,

          Not necessarily. Large commercial vendors might be much more likely to kill off one of many projects, even large ones, than a small vendor is to kill off their only project.