"When you have a lot more people using something day to day, developers are more inclined to work on it," said Cameron Camp, a senior researcher at Eset. "When you have lots of interested people looking at the code, that usually makes for better code than a team working in private that don't know what they don't know."
In a move influenced by Edward Snowden's revelations about the NSA's email snooping, Yahoo and Google last week announced that they were cooperating on end-to-end encrypting their webmail products.
"We will release source code this fall so that the open source community can help us refine the experience and hunt for bugs," said Yahoo Chief Information Security Officer John Stamos.
While the open source approach to software development has proven its value over and over again, the idea of opening up the code for security features to anyone with eyeballs still creates anxiety in some circles. Such worries are ill-founded, though.
One concern about opening up security code to anyone is that anyone will include the NSA, which has a habit of discovering vulnerabilities and sitting on them so it can exploit them at a later time. Such discoveries shouldn't be a cause of concern, argued Phil Zimmermann, creator of PGP, the encryption scheme Yahoo and Google will be using for their webmail.
"If someone does find a bug and sits on it, someone else will find the same bug and not sit on it," he told TechNewsWorld. "That's why you want to have a lot of people looking at the code."
Assume Nothing Secret
Although secrecy and crypto systems are commonly believed to go hand in hand, Zimmerman maintains that's not the case at all. "You have to assume your opponent has the source code," he said, "but you don't care who else knows it. The only thing that you have to keep secret is the private key."
In a system like PGP, there's a public key -- which anyone can hold -- and a private key -- which only you hold. Messages scrambled with the public key can only be unscrambled with the private key paired to it.
"Open source has been how we create good crypto for a long time," Zimmerman noted. "PGP source code has been published since I released it in 1991. How do you expect people to trust it unless they can see for themselves that there are no backdoors?"
However, an open source project is only as good as the community that forms around it.
"When you have a lot more people using something day to day, developers are more inclined to work on it," Cameron Camp, a senior researcher at Eset, told TechNewsWorld.
"When you have lots of interested people looking at the code, that usually makes for better code than a team working in private that don't know what they don't know," he added.
