The latest Flash vulnerability and monoculture
Perry E. Metzger
perry at piermont.com
Mon Jul 27 08:23:22 EDT 2009
Jerry Leichter <leichter at lrw.com> writes:
> On Jul 26, 2009, at 11:20 PM, Perry E. Metzger wrote:
>> Jerry Leichter <leichter at lrw.com> writes:
>>> While I agree with the sentiment and the theory, I'm not sure that it
>>> really works that way. How many actual implementations of typical
>>> protocols are there?
>>
> I'm aware of at least four TCP/IP implementations in common use,
> Can you name a single system that allows you to substitute different
> TCP/IP stacks?
I could answer literal mindedly and note that QNX and a couple of other
embedded OSes let you do that (or so I recall).
However, it is clearly not necessary for that to be possible for people
to reap the benefits of diversity.
> The practical difference between a bug that affects 25% of the world's
> systems and 100% of the world's systems - assuming unrealistically an
> even division - isn't all that great.
That's completely untrue -- the two situations are extraordinarily
different.
For example, a high security firewall that has identical filtering boxes
with the same stack in front of and behind the DMZ has a 100% chance of
failure if a TCP bug is found, but will remain fine if two different
stacks are in use. (And yes, I've built systems like that, and for
exactly that reason.)
>> several common HTTP servers (though there are far more uncommon
>> ones),
>
> Apache and IIS together make up the bulk of implementations.
Perhaps, but I'm not using either, and neither are many of the worlds
largest web sites. There are a lot of web servers out there, and if you
want, you can pick any you like based on the characteristics you like.
>>> One way or another, a single implementation usually wins out in the
>>> OSS community.
>>
>> See above -- even counting only open source, we have *many*
>> implementations. Heck, there are even multiple independent open source
>> SSL, SSH and PGP implementations.
>
> Yes, you can find examples. But there are also examples where there
> is little diversity. How many active competitors to zlib are there?
Two, I think.
I have trouble thinking of a lot of types of protocol implementations
where there is only one available -- you originally claimed this was
rare, but it is, in fact, nearly the rule, not the exception.
I didn't even mention SMTP, where we have Sendmail, qmail, Postfix,
MMDF, and more, and that's just the open source offerings. IMAP
implementations are even more diverse.
Anyway, you claimed there aren't a lot of diverse protocol
implementations, and there are for practically everything important I
can think of. You asked:
>>> How many actual implementations of typical protocols are there?
...and the answer is, for typical protocols that are widely used, quite
a number. If you want to argue that multiple implementations aren't
interesting, that's another question, but you claimed they don't exist,
and generally, in fact, they do exist.
> Keeping multiple implementations going is expensive
Having multiple supermarket companies or computer companies is also
"expensive". None the less, we seem to have that happen.
Perry
--
Perry E. Metzger perry at piermont.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list