The latest Flash vulnerability and monoculture

Jerry Leichter leichter at lrw.com
Mon Jul 27 00:18:14 EDT 2009 

On Jul 26, 2009, at 11:20 PM, Perry E. Metzger wrote:

> Jerry Leichter <leichter at lrw.com> writes:
>> While I agree with the sentiment and the theory, I'm not sure that it
>> really works that way.  How many actual implementations of typical
>> protocols are there?
>
> I'm aware of at least four TCP/IP implementations in common use,
Can you name a single system that allows you to substitute different  
TCP/IP stacks?  Without that, there's little practical diversity.  The  
practical difference between a bug that affects 25% of the world's  
systems and 100% of the world's systems - assuming unrealistically an  
even division - isn't all that great.

> several
> common HTTP servers (though there are far more uncommon ones),
Apache and IIS together make up the bulk of implementations.   
Microsoft's long-standing drive to avoid OSS software accounts for one  
of the common TCP/IP implementations, too.  On the one hand, Microsoft  
isn't doing much of this any more - and no one else is trying.  On the  
other, this confirms my observation that an open definition with  
closed implementations is the most likely source of *multiple*  
implementations.

Here, a bug would hit close to half of all systems in the world.  The  
minor players are irrelevant.

> at least
> four or six common web browsers (depending on whether you count the
> several that use webkit as a single implementation or not),
There's probably more diversity here than anywhere else, as the result  
of first Firefox (and other Gecko-based browsers, though they are  
minor players) and then Safari and other Webkit-based browsers  
breaking up Microsoft's lock on the market.  Most of the others divide  
off into disjoint markets which rarely share much software.

> a half dozen
> jpeg libraries, three different opentype implementations, etc., etc.


>> One way or another, a single implementation usually wins out in the
>> OSS community.
>
> See above -- even counting only open source, we have *many*
> implementations. Heck, there are even multiple independent open source
> SSL, SSH and PGP implementations.
Yes, you can find examples.  But there are also examples where there  
is little diversity.  How many active competitors to zlib are there?   
Security bugs in zlib - which have occurred - cause grief to wide  
swaths of products.  While there a independent zip implementations,  
most of the less-known compression algorithms have one implementation  
- and bugs in those have led to problems in multiple anti-virus  
packages, which have to support all the formats and aren't about to re- 
implement them.

Keeping multiple implementations going is expensive - whether you're a  
commercial outfit who has to find the money, or and OSS project that  
has to attract developers.  There has to be a good reason to do it.   
There will be cases where good reasons are present - optimization for  
very different kinds of environments (low power embedded vs. larger  
systems, for example).  For OSS, just simple pride and competition can  
last for a long time, and sometimes get "frozen in".  Competitive  
differentiation is important for commercial efforts - and is  
increasingly affection OSS efforts through commercial funding.  But  
all of these have to fight a natural tendency to settle on a single  
solution once the problem is no longer novel, the techniques are all  
well understood, and there's ultimately little to distinguish one  
solution from another.  It'll happen sometimes, for some period of time.

I'm not saying more diversity isn't better.  Certainly, if the  
protocol is closed, there will likely be very little if any diversity  
in implementation.  So open standards are to be preferred.  All I'm  
saying is that there's no magic here.  If anything, OSS *encourages* a  
convergence on a single solution, because using what's already there  
is so cheap that you need some really good reason *not* to.
                                                         -- Jerry

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list