In patching its open-source chat application, Cryptocat implied such software is less secure than proprietary products, spurring an open source versus commercial application debate among security experts.
Cryptocat makes a snooping-resistant instant messaging (IM) application that runs inside a Web browser. The open-source project apologized last week for a now-fixed bug that made it too easy for an attacker to decrypt and read conversations.
The vulnerability, found by researcher Steve Thomas, is serious because the software is used by activists trying to avoid government eavesdropping, journalists having sensitive conversations with sources and lawyers seeking privacy while talking to clients.
In a blog post, Cryptocat took full responsibility for the flaw and added, "We will commit failures dozens, if not hundreds of times more in the coming years, and we only ask you to be vigilant and careful. This is the process of open source security."
The comment baffled Paul Royal, associate director of the Georgia Tech Information Security Center. "He could have generalized the statement to: 'This is the process of software security -- period,'" Royal said on Monday. "I don't quite understand why open source makes it inherently risky, like somehow because software is proprietary a developer will not make a mistake."
However, other experts disagreed, saying that because open-source software is developed by an unpaid group of engineers, there are going to be security lapses.
"Since open source software isn't owned by anyone, there are no dedicated software maintenance people and enhancements are made by whoever can and wants them," said Murray Jennex, associate professor for computer security at San Diego State University.
Dan Olds, an analyst for Gabriel Consulting Group, agreed, saying developers paid to build software have more at stake in getting it right.
"The key difference is that commercial developers depend on the quality of their product to pay their mortgages and feed their families," Olds said. "I would argue that this forces commercial developers to pay more attention to bugs and to do more rigorous testing."
In addition, companies can be held liable for software left insecure due to negligence, Olds said.
Morgan Davis, a senior trainer and engineer at Security Innovation, said it's not fair toÃ'Â blame open-source security."The failures of Cryptocat are not failures of open-source versus closed-source development, but rather a failure in the secure development process," Davis said.
"They failed to execute effective security practices in requirements, design, [and] implementation and throughout the rest of the development process," he said.
Cryptocat published a threat model for its namesake software that is "rudimentary at best, and never identifies cryptography as being a potential weak point," Davis said.
"Consequently, they -- through their crypto-ignorance -- implemented a terrible series of crypto-blunders," he said.
Sign up for CIO Asia eNewsletters.