[Cryptography] Paranoia for a Monday Morning

Alfie John alfiej at fastmail.fm
Mon Oct 27 16:53:18 EDT 2014

On Mon, Oct 27, 2014, at 10:35 PM, Jerry Leichter wrote:
> It's easy to blame Adobe or the Microsoft of old for incompetent
> programming; but even the latest IE, produced under what may be the
> best "secure software development chain" in the world;

Citation needed.

> and Chrome, a clean-sheet, open-source implementation by a team
> containing some of the best security guys out there; continue to be
> found to have gaping holes.

Clean-sheet? No. Chrome and Chromium for a long time used WebKit as the
rendering engine.

>  At some point, you have to step back and admit that the problem
>  doesn't lie with the developers:  They are being set up to fail,
>  handed a set of specifications that we simply too hard to get right.

Have a look at what Mozilla is doing. They developed a new language
called Rust which has a focus on safety, and are using it to build a new
rendering engine called Servo.

It's not that the specifications are too hard, it's more that complexity
in general is hard to manage. And with Firefox having over 12 million
lines of code with over 3000 contributors, you're now applying Brooks'
Law at absurd levels.

> And that, of course, raises the question:  Accident, or enemy action?

I'd put this into the paranoia basket.


  Alfie John
  alfiej at fastmail.fm

More information about the cryptography mailing list