There are many cases when keeping privacy really matters. Of course, you wouldn’t bother if you’re discussing a friend’s birthday present or shopping list with your spouse. However, some business solutions or political discussions do have to remain secret.
How to keep your conversation, be it a call or a text message, protected from wiretapping and intercepting? We have already discussed all possible popular messengers which declare high protection of the personal information. All programs have nuances that make them insecure to a greater or lesser extent (for more info, browse through our previous articles).
The main security point is control: most of the solutions offered by the market won’t provide you the full control over all systems.
The decision that you may come across is open source security solutions. Yes, theoretically you can receive a full control over your program, but would you bother?
The point of open source model is the source code available to everyone and the ability to change and improve it. However, the prevailing majority of users will just install a ready solution of the community or group of enthusiasts that created it, and will take on trust that it is fully protected.
Example of Tor Network
Well, here comes Tor – an anonymity network – as an example. It is an open source project, which is declared as means of anonymous communication and the way to bypass the censorship. However, it has been proved many times that there is no problem to disclose the Tor user’s incognito. Even this simple example shows that you cannot trust any solution which you don’t control.
A few weeks ago, two security experts have found out that there are over 100 Tor nodes that spy on network activity. Not to sound too “technical”, these nodes allow anyone who owns them – be it intelligence agencies, hackers, or other “enthusiasts” – to know the addresses of the websites that a user wanted to keep in secret.
So Tor, being a great idea of the enthusiasts, turns out to be even more harmful for those who need anonymity, since they all are gathered together and easily tracked – no need to bother by call interception or spying program installation.
It’s Not So Easy to Create a Perfect Solution Out Of Open Code
Yes, potentially you can take the code provided, improve it to fit your needs in the best possible way, and create your own perfect solution. Sounds simple? It’s not like that.
First of all, you have to hire a team of professional security experts, who will raise a working system out of source code. In addition, they will have to support and improve it regularly. This means a serious investment of money and time.
And this is not new. It was mentioned not even twice that the outsource project support is much more expensive, then a commercial solution.
The question of security verification is still essential. The system must be extensively checked for all security issues. It means that you have to model all possible attacks, find out all the system vulnerabilities, fix them, test the program once again… For that, you will need a team of qualified security testers, which is hard and expensive to find and hire. And don’t forget that you already have a team of programmers that will have to fix the bugs found by testers. Then comes the second iteration of testing, and so on… It’s really very time and money consuming.
Conclusion
Commercial solutions is the way out of this endless circle. However, you must understand what to look for.
You need an application that provides you the full control over all systems, starting from source code and including servers. In addition, you have to be able to audit the code any time. Moreover, the application must be already implemented somewhere and tested by the independent experts – and with positive feedback, of course. As a matter of fact, there are not many options that comply with all these requirements, but only in this case you will be 100% sure that your sensitive data are protected.
References:
https://www.blackducksoftware.com/solutions/application-security
https://whispersystems.org/blog/