Silent Circle Dangerous to Cryptography Software Development

Update 3: Wonderful news – Silent Circle have begun releasing their source code - However, they’ve only released small and incomplete chunks. They should absolutely release the rest and with proper documentation.

Update 2: Is Silent Circle Open Source Yet?

Update: Silent Circle just tweeted that they will “make their code available for audit and inspection”, but have not specified whether (or when) it will be available to the general public or under what license.

In the cryptography world, we consider open source necessary for good security; we have for decades. Public security is always more secure than proprietary security. It’s true for cryptographic algorithms, security protocols, and security source code. For us, open source isn’t just a business model; it’s smart engineering practice.

- Bruce Schneier

We reserve the right to cancel your service for doing bad things.

- Silent Circle’s Privacy Statement

I have strong reservations regarding the imminent release of Silent Circle, a suite of smartphone apps chiefly known for being co-developed by Phil Zimmermann, the inventor of PGP. Silent Circle is composed of apps for encrypting phone conversations, text messages and email. The developers behind the application are likely competent, and yet due to the app’s design principles there exists no method of verifying the effective security properties of Silent Circle, or to verify if, at all, the application does anything more or less than what it says it does.

Ultimately, Silent Circle is damaging the state of the cryptography community; its model goes against responsible methods of cryptography software development.  The problem with Silent Circle is that it provides cryptography software while keeping its source code hidden. By doing so, it goes against decades of cryptography software development methods that include full disclosure, the capacity for an open audit, and more.

Releasing your code in the open wasn’t done as an act of charity, but as a necessary method to ensure that independent programmers and experts can look at your code, point out security flaws, and assess whether or not your product was living up to its promise. Every single piece of prominent security software that released its code as open source received dozens of security reports as a direct result this is a testament to closed source software’s relative incapacity to deal with hidden security flaws.

Cryptography development doesn’t move forward as a whole unless it’s open source software: many of the core encryption technologies used by Silent Circle’s were in fact released under open licenses for years, following the same mindset. Silent Circle opts for security through obscurity whereas the rest of the cryptography community has been developing software that favors the opposite for decades.

Skype has long claimed to offer encryption, and yet its closed source code and its operational record has earned it deserving critique - Silent Circle stands in the same area as Skype: both promise encryption and yet offer no method to verify the security, integrity and reliability of their claims.

Silent Circle also collects vast amounts of identifying information on its users (including credit card numbers, necessary due to the software costing $20 a month to use) and makes itself vulnerable to Federal requests for encrypted data and even wiretaps due to its centralized nature. Open source software tends to decentralize naturally, and avoids being vulnerable to these gigantic organizational weaknesses.

Silent Circle’s mission statement claims that the company doesn’t wish to pay lip service to false security – and yet the mission statement remains chock-full of PR jargon (sometimes helpfully outlined using quotation marks) while Silent Circle ignores the most basic tenet of responsibly releasing cryptography software. I condemn Silent Circle for favoring cheap profit-making methods over real security.

Most of Silent Circle’s features are already offered by open source software such as RedPhone and TextSecure, which are guaranteed to be more secure and more reliable due their openness for review and independent development.

Posted October 11, 2012 by Nadim in Computing, Security

Tagged with