No but to blindly trust in it is silly. Even openssl had a heart-bleed bug that persisted for years without most people realizing it. All it takes is one bug for the entire thing to be useless.
And heartbleed is also than example of open source not being totally secure. It was a bug that persisted for years before it was found - and OpenSSL is open source.
It's just as foolish to blindly trust OSS. There will always be holes - the main point to OSS is not to combat these, as they will exist regardless. Rather, it is so one might know exactly what they're installing/using, without having to trust the corporation behind it.
no it's foolish to trust something that hasn't been independently reviewed. How can EFF recommend something that hasn't even been subjected to an independent security audit?
The goal is not to be perfect, but to kickstart encryption adoption by a large non technical audience I believe.
Sure that's no excuse for potentially bad crypto but it's worth it if this gets proper infosec into the public reach in the end. I'm confident this is a first step to having trustable encryption "in the real world" even if it's another client/company providing it later. Call me an optimist :)
Everything can have bugs. The problem with this software is that it's a centralized single point of failure. Only a proper federated protocol can be resistant to subversion by business, government, or other interests.
It's just as foolish to blindly trust OSS. There will always be holes - the main point to OSS is not to combat these, as they will exist regardless. Rather, it is so one might know exactly what they're installing/using, without having to trust the corporation behind it.