Friday, October 23, 2009

Is Open Source Inherently More Secure?

A colleague of mine recently provoked much controversy in the interview "Why open-source DNS is 'Internet's dirty little secret'". Leaving aside the hyperbole from both sides on multiple issues raised by the interview, I'm left to wonder whether open source offers a reliability or security advantage.

There doesn't seem to be a decisive answer in principle. The experts all have opinions, precedents and theories.

  • Everyone understands that open source gives equal opportunities for friends and foes alike to examine the code. Some argue that a determined attacker reverse engineers anyway, but why make it easy on the attacker, anyway?
  • Sure, having the source means that you can look for trap doors and more easily detect them, but on the other hand, when release 1.1 of an open source project comes out with a lot of publicity that it is an IMPORTANT SECURITY FIX, people running version 1 (for whatever reason) have crosshairs on them.
  • It seems pretty clear that public cryptographic algorithms get a lot of scrutiny and benefit from it, but they are extremely high value targets, and experience suggests that a lot of open source and proprietary code alike goes unexamined because it's, well, a boring job to audit others code.

  • The processor that executes the code doesn't know if it's open or not; it's the quality of the code and not its provenance.
Well what about in practice?

I couldn't find any controlled experiments out there, but there are some ideas:

  • Both open and proprietary folks have a lot of security bugs.
  • Its more fun to add features than run security audits.
  • Open source may well have greater longevity than proprietary code. Of course, since closed source is often done with a commercial motive, end-of-life announcements are ways to start new revenue streams, rather than purge old code.
So at the end of the day, there's a lot of assertions out there, and less security than one would like in both open and closed source.

I use Firefox, because it's supposed to be more secure than Internet Explorer.

While Jon's article provoked a lot of backlash, there's little glory in bind's security record, compared to other DNS code, particularly Nominum's. Of course, bind tries to do more and has been a target for a decade or more longer than anybody else.

So I think it's silly that there's a general rule here; I suspect that in some cases the advantage goes to open source and in other cases proprietary code.

Saturday, October 3, 2009

Paul Mockapetris Supports Censorship in Germany - Not

Several people have asked me how I could possibly support the position stated in: "DNS-Erfinder Paul Mockapetris implementiert die Internetzensur in Deutschland"

Well, I can't read German, but don't need to to know there's a bit of creative license involved here - I was never consulted in any form about the article, nor was I involved or familiar with the proposed German system.

But what would I have said if asked? There's certainly an opportunity here to be crucified for something I do say. Suppose I had been asked for an opinion on the proposed German system?

First, I'd say that I keep my nose out of German affairs. There's a quote attributed to John Quincy Adams, an early American President, which says "We are the friends of liberty everywhere, but the custodians only of our own." I'd apply it to the present to say that while I'll advocate a position for the US Internet, and recommend it to others, it's up to them to decide their own policy.

Second, I oppose censorship, malware and child porn and don't see that I have to let the bad guys of the Internet loose on child surfers, the general public, or myself in order to support liberty. But there are choices involved.

But let's focus first on the DNS, and then on Nominum's role in the DNS.

In the public Internet the way I get to Obama's message is to access Whitehouse.gov, the Internet site of the current US administration. My local DNS server takes "whitehouse.gov" and translates it to the IP address with the web content. If I wanted a gambling site, I might go to FullTiltPoker.com. Since there are certainly thousands and maybe millions of websites with titles that suggest the full range of pornography, I'm sure I could find almost anything with a certain amount of work. There are also sites that are not at all what they seem: Whitehouse.com has no apparent connection to Whitehouse.gov though it offers "healthcare reform" information at the moment. Occasionally, legitimate websites are hacked to have graffiti or even malware that's hazardous to you.

So it comes as no surprise that the original idea of a totally open and consistent DNS has yielded to the practical reality thatit's possible to limit access and improve security by preventing the DNS from accessing certain names and providing those IP addresses or the like:
  • The first, and most popular version, allows companies to "hide" domain names used in their internal network from the outside world. Hardly anyone objects to that.

  • The case for today is whether to use the tactic to limit access to child porn, hate speech, political opponents, malware sites, or say evolution or creation science.
The way it works in the mass market is that whomever runs the nameserver deletes, redirects, or otherwise changes the information associated with the domain name of the undesirable content.

The practice is akin to filtering by IP address, URL, or other criteria. And obviously, there are many, many, different opinions on what is "undesirable".

As a practical matter, I say it isn't censorship if I have an unfettered choice of nameserver. Second, I want my default DNS to be filtered. I may want unfiltered DNS as well if I want to run a honeypot which offers itself to malware in order to see what attacks. I'd love the ability to have different filters for my use and my children's. There's a wide variety of reputation sources around to do the filtering, and what I really want is a combination of mulitiple reputation sources, both blacklists and whtelists.

OK, what about Nominum?

The technology here is still under devlopment, and Nominum provides a way for ISPs to do DNS filtering. ISPs have been doing such filtering before Nominum and for almost as long as the DNS has been around, but making it effective, configurable, and selectable still needs work.

It's not a complete security solution; for example, it doesn't look at the content of a website or email. I'm neither censored nor protected if I choose to use a name server that doesn't filter. I'm protected but not censored if I knowingly use a filtered name server. Providing at least both options seems like the right choice.

There's a sea of details and choices, and many folks are working to address them.

(By the way, I use advice from the Guide Michelin to filter what restaurants I go to; perhaps ZDnet should investigate why the Guide Michelin does censorship around the world.)