FOSS Crypto is not an option

After the whole Heartbleed’s [1] fiasco, every questions about open source security became legit. But for me, Free and Open Source Cryptographic software is still the best choice you can make in 2016.

Security through obscurity

1456375577_CoffinIn the past years, Many encryption systems used to rely on obscurity of the algorithm. A system relying on security through obscurity may have weaknesses, but its owners and designers believe that if the flaws are not known, then attackers will be unlikely to find them. This was a bad approach and history showed us several times that it never stopped security researchers to exploit vulnerabilities. For example, in March 2008, the Digital Security research group of the Radboud University Nijmegen made public that they performed a complete reverse-engineering and were able to manipulate the contents of a supposedly secured MIFARE card — a proprietary contactless smart card.

Cryptography is Mathematics

Modern cryptography is heavily based on (documented) mathematical theory and computer science practices. Cryptographic algorithms are designed around computational hardness assumptions, making such algorithms sometimes vulnerable in theory, but hard to break in real practice. In every recent and decent software, the only secret should be your password. The strength of encryption lies in the ability to protect data using only your password (and by definition your private keys).

The reason why open cryptography is considered safer than the closed alternatives is because it’s open to reviews and audits from security experts all over the world. Closed algorithms are subject to internal company and paid experts reviews only (which, by definition, is a smaller set than “security experts all over the world”). Truth is that even non-open source programs now use algorithms that are public. The problem persists because source code (especially cryptography implementation) cannot be checked by community. Also, the presence of malicious code limits trust you can have in “black box” solutions. Last year, two unauthorized backdoors (including one that allows the attackers to decrypt protected traffic passing through) were identified in Juniper’s Firewall [2]. In some cases, it was also proven that backdoors are privately identified but exploited by malicious people before it goes public. To avoid nightmare scenarios, open source cryptographic libraries is the only way. But, you still need to take precautions.

FOSS Cryptographic libraries

1456387905_Open-SignWhen you learn programming and open a book at a security chapter, you will read this advise : Don’t roll your own crypto implementations. Matthew Green (renowned cryptographer and security technologist) explained that most of the popular libraries are complex and non-intuitive APIs that present the developer with numerous choices, many of which are insecure. The result is that even experienced developers routinely select dangerous combinations. For example, in OpenSSL you can easily create and use weak certificates (SHA-1) without any warning. In general, you would be safer by preferring high-level APIs to reduce the risk of error on your side.

Make the right choice

Your challenge is not limited to choose the strongest algorithm and start programming as soon as possible. In fact you will need to pay attention to several points like language support, licensing, functionality, algorithms, protocols, API level, security or performance.

Browse all FOSS crypto libraries available [3] to make sure you do the right thing. The Web is full of resources (Stack Exchange, GitHub, Crypto Coding, Reddit, …). Discuss your points, your projects and your cases to find the best solution for each specific project. When working as a freelance, my goal is to help you understand all the available solutions and back technical choices. Cryptography is the security layer that your software will rely on. Every technical decision should be a deliberate choice.

[1] Heartbleed

[2] Juniper’s backdoor

[3] FOSS Cryptographic libraries


I have been working as an IT engineer (mostly in Web hosting industry) for more than 15 years, with specific interest in Linux internals, TCP/IP networks and software security. I have lived in Montreal (Canada), since 2013.

Leave a Reply