Cryptocat vulnerability excuse sparks debate over open source

In patching its open-source chat application, Cryptocat implied such software is less secure than proprietary products, spurring an open source versus commercial application debate among security experts.

Cryptocat makes a snooping-resistant instant messaging (IM) application that runs inside a Web browser. The open-source project apologized last week for a now-fixed bug that made it too easy for an attacker to decrypt and read conversations. 

The vulnerability, found by researcher Steve Thomas, is serious because the software is used by activists trying to avoid government eavesdropping, journalists having sensitive conversations with sources and lawyers seeking privacy while talking to clients.

In a blog post, Cryptocat took full responsibility for the flaw and added, “We will commit failures dozens, if not hundreds of times more in the coming years, and we only ask you to be vigilant and careful. This is the process of open source security.”

The comment baffled Paul Royal, associate director of the Georgia Tech Information Security Center. “He could have generalized the statement to: ‘This is the process of software security — period,'” Royal said on Monday. “I don’t quite understand why open source makes it inherently risky, like somehow because software is proprietary a developer will not make a mistake.”

However, other experts disagreed, saying that because open-source software is developed by an unpaid group of engineers, there are going to be security lapses.

“Since open source software isn’t owned by anyone, there are no dedicated software maintenance people and enhancements are made by whoever can and wants them,” said Murray Jennex, associate professor for computer security at San Diego State University.

Dan Olds, an analyst for Gabriel Consulting Group, agreed, saying developers paid to build software have more at stake in getting it right.

“The key difference is that commercial developers depend on the quality of their product to pay their mortgages and feed their families,” Olds said. “I would argue that this forces commercial developers to pay more attention to bugs and to do more rigorous testing.”

In addition, companies can be held liable for software left insecure due to negligence, Olds said.

Morgan Davis, a senior trainer and engineer at Security Innovation, said it’s not fair to blame open-source security.”The failures of Cryptocat are not failures of open-source versus closed-source development, but rather a failure in the secure development process,” Davis said.

“They failed to execute effective security practices in requirements, design, [and] implementation and throughout the rest of the development process,” he said.

[Also see: Open Source — Is it inherently more secure than proprietary software?]

Cryptocat published a threat model for its namesake software that is “rudimentary at best, and never identifies cryptography as being a potential weak point,” Davis said.

“Consequently, they — through their crypto-ignorance — implemented a terrible series of crypto-blunders,” he said.

A major difference between proprietary and open-source software is the latter’s source code is available to everyone, including hackers. While that means less skill is need to find vulnerabilities, there is no shortage of experienced developers who can do the binary reverse engineering needed to find as many flaws in proprietary applications, Royal said.

“The primary difference will be in the level of skill at which a person can reverse engineer to discover that vulnerability,” he said.

Commercial vendors will place protective layers over their code to prevent the theft of their intellectual property, Royal said. But that has not stopped hackers from exploiting a steady stream of vulnerabilities in Microsoft Windows and Adobe Flash, examples of popular applications often targeted by cybercriminals.

Therefore, the ubiquity of the software is what dictates the risk, Royal said. The more popular it is among consumers and businesses, the more likely criminals will look for flaws and develop malware to exploit them.

“In general, software used by many people is going to be targeted,” he said.

While that may be true, a hacker is still likely to find open source software easier to crack, said Murray. “I never recommend anyone use open source software for critical applications unless you are going to maintain it yourself and, of course, inspect it and keep it safe,” he said.