Thinking out loud here, what's the best counterfactual on HB?
I can imagine a ClosedSSL that gets hammered in a blackhat presentation. I can imagine ClosedSSL getting fixed, eventually.
It's just hard for me to imagine that happening faster because people like Neel couldn't read the code.
Maybe the counterfactual is that ClosedSSL is also well funded and cares deeply about security, so it finds HB internally.
But openness doesn't preclude funding. And closed source doesn't grant you an automatic security focus.
So rich ClosedSSL vs poor OpenSSL isn't an apples to apples comparison.
All things held equal, openness provides one extra possible avenue to find and catch bugs, and so such projects will tend to have more caught on average.
What does HB teach us then? Just that some bugs are hard.
Now, to be fair, if "openness" is just used as a substitute for internal security audits, a way to shrug and farm out that work and blame to passers-by, then that would be obviously terrible.
That probably happens more than we'd like to admit, but I still don't think it's the typical reason people open their code.
Thinking out loud here, what's the best counterfactual on HB?
I can imagine a ClosedSSL that gets hammered in a blackhat presentation. I can imagine ClosedSSL getting fixed, eventually.
It's just hard for me to imagine that happening faster because people like Neel couldn't read the code.
Maybe the counterfactual is that ClosedSSL is also well funded and cares deeply about security, so it finds HB internally.
But openness doesn't preclude funding. And closed source doesn't grant you an automatic security focus.
So rich ClosedSSL vs poor OpenSSL isn't an apples to apples comparison.
All things held equal, openness provides one extra possible avenue to find and catch bugs, and so such projects will tend to have more caught on average.
What does HB teach us then? Just that some bugs are hard.
Now, to be fair, if "openness" is just used as a substitute for internal security audits, a way to shrug and farm out that work and blame to passers-by, then that would be obviously terrible.
That probably happens more than we'd like to admit, but I still don't think it's the typical reason people open their code.