..on Thu, Jul 11, 2013 at 12:23:25PM -0700, Mitar wrote: > Hi! > > BTW. Even Tor has centralized directory servers. And it does not > really matter if the code there is open source or not, because you > anyway cannot know if they are really running some particular code > there or not.
A good point. Nonetheless the way forward for security critical software is toward de-centralisation; encouraging deployment and adaptation to local contexts - political, social and topological. This is why both client and server need to be open such that they can be both audited and adapted. I can't think of a case where arguments in favour of closed-source deployment in this space aren't ultimately grounded in desire for control and capital return within a product-oriented (rather than service) business model. Selling binary blobs sans source code in a security setting is a risky business, in that it pushes risk onto the customers. Cheers, Julian > On Thu, Jul 11, 2013 at 12:17 PM, Mitar <[email protected]> wrote: > > Hi! > > > > On Thu, Jul 11, 2013 at 6:25 AM, Albert López <[email protected]> > > wrote: > >> Ok, I understand what you mean. But why rely in a client-server approach > >> when you can achieve your goal with a peer to peer solution? > > > > Their answer is: > > > > "The way to make the system secure is that we can control the > > infrastructure. Distributing to other servers makes it impossible to > > give any guarantees about the security. We’ll have audits from trusted > > third parties on our platforms regularily, in cooperation with our > > community." > > > > Which is a bit hand-wavy if we assumed that server code can be closed > > source if client part is done well enough that you don't have to think > > about the server side and you still know that you are secure. :-) > > > > But my main and almost only argument was, that I think we should wait > > for a bit more concrete information before discarding the idea. At > > least I can imagine plausible ways to implement the system securely > > and having it known security properties while retaining part of it > > closed source and centralized. But we don't know much to make any real > > claims. What is interesting though, is that: > > > > "We are building Heml.is on top of proven technologies, such as XMPP with > > PGP." > > > > > > Mitar > > > > -- > > http://mitar.tnode.com/ > > https://twitter.com/mitar_m > > > > -- > http://mitar.tnode.com/ > https://twitter.com/mitar_m > -- > Too many emails? Unsubscribe, change to digest, or change password by > emailing moderator at [email protected] or changing your settings at > https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Julian Oliver PGP B6E9FD9A http://julianoliver.com http://criticalengineering.org -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at [email protected] or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
