[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Validating a program



Adam Shostack wrote:
> Dale Thorn wrote:
> | [email protected] wrote:
> | > >> On Tue, 5 Nov 1996, Edward R. Figueroa wrote:
> | > >> > Last,  I would like to know once and for all,  is PGP compromised,  is
> | > >> > there a back door, and have we been fooled by NSA to believe it's secure?

> | > You can read and compile the source code yourself.

> | Really?  All 60,000 or so lines, including all 'includes' or attachments?
> | I'll bet you can't find 10 out of 1,000 users who have read the total source,
> | let alone comprehended and validated it.

[snip]

> In short, if you're paranoid, feel free to look over the source.  But the fact that
> most people have never peeked under the hood is not a strike against pgp at all.

The quip about peeking under the hood may apply OK to an automobile, but to a program
which encrypts?  Granted that most messages (99+ % ??), if read by NSA et al, won't
put the sender in any great danger, but when the application is really serious, as it
always is sooner or later, you must realize that people could be taking great risks
with PGP encryption, and "pretty sure" isn't good enough when it's really, really
vital to have bulletproof security.