[FreezerburnV]

I would argue that, theoretically, proprietary can be secure. A code base can be made secure by highly experienced engineers who are paid to make the code secure. You might never be able to see the code, but it could still be secure. The problem is that you can never actual verify how secure the proprietary solution is. So whether or not it is secure, you don't trust it. (there are even some interesting arguments to be made about the security of any solution that deals with some kind of user input. my previous boss stipulated that the only way to have a truly secure email client is to have some third-party, verified library that takes all the input, and spits out encrypted data to whatever program deals with email servers, without the program dealing with email servers ever seeing that input in plain text form because who knows what it might do with it)

On the other hand as well, open source most certainly does not mean secure. I don't even have to argue to make this point, I merely have to point out Heartbleed or Shellshock.

[dmix]

Yes, proprietary can be secure. But my question to you is why bother?

As a business model open-source arrangements such as Red Hat or the countless Hadoop services show that you don't really need to lock down the source code to create a successful business around it.

With communications software, the costs a closed-sourced software with magical trust-us crypto getting fully compromised is incredibly high. If people can't trust their basic tools to be private, nor be able to verify it, than they can't assume any conversation they have is private. That's a scary world IMO.

This is particularly true for broken encryption more than the presence of memory exploitation such as Heartbleed or Shellshock.

[bad_user]

While you can argue that some piece of open source software can be more insecure than a proprietary alternative, auditing a piece of software requires access to the source code and that is mandatory. And with open source everybody can audit with no restrictions. Yes, OpenSSH is a piece of shit, but how do you think it was discovered, from 2 independent parties no less.

Then there's another effect that I like - after the initial patch was released, the story went public, we got notified immediately, then we could discuss about what caused it and see the actual commits and who did it. Such a catastrophe can sink a company, therefore you never see such post mortems for proprietary stuff. And yes, even I as a developer cannot audit software for security, but the point is that I could hire somebody else to do that for me, like the Finnish company that discovered Heartbleed.

So yeah, there is no concrete proof that proprietary stuff is less or more secure than open source, but the point is that we'll never know, because nobody can know how secure something is without looking at the source code.

[RaleyField]

OpenSSH or OpenSSL? I thought OpenSSH was pretty solid, forgetting the fact that configuring it isn't as straightforeward as one would hope.

[bad_user]

Sorry, I meant OpenSSL. It was a typo.

[Ridley]

Yes, in theory it is possible. However even 100% secure proprietary software must be assumed to be insecure, because we're still running on blind faith, which is patently stupid for anyone who requires security.

[ethbro]

You run OpenBSD, don't you? (To be fair, their approach since the 90s seems a lot more reasonable now)

[Ridley]

No, my views are not based on my own needs or paranoia. As a security-oriented software developer I recognize that software that claims to be secure needs to deliver, because people like Snowden, Assange et al. may be relying on it some day.

[vezzy-fnord]

I don't even have to argue to make this point, I merely have to point out Heartbleed or Shellshock.

The reason both were found and had the absurd propaganda campaigns behind them as they did that are the only reason you can even name them to begin with, is precisely because the underlying software was free.

On the other hand, let's name drop another vulnerability and its exploit: SMBRelay. Took 7 years after it was made public to introduce an incomplete and partial fix. Still exploitable to this day, 13 years later.

[res0nat0r]

So what it boils down to, is that both open source and closed source software can have bugs lingering in them for years that go unnoticed and/or unfixed.