I find new security services like this new Silent Circle quite funny. What is the security model? "Trust us". Unless the client code is open source and peer reviewed, that's not good enough for me. I don't mind if the code license doesn't permit redistribution, as long as the end user can see the source code of whatever is used to create a layer of security.
This was partly the reason why I moved over time from using 1Password to using LastPass. The idea of storing all your encrypted credentials online sounds crazy, until you realize that everything is encrypted client-side in your browser using JavaScript. That means that effectively I can prove to myself that the encryption is sound, while for 1Password, even if used entirely offline, may be riddled with security holes.
Of course, at some point I just have to give up trying to review all the code and trust others. Still I cannot trust fully closed-source encryption, as at the very least by making the code open to all, you increase the chance of having somebody find security holes, or attest to the software's security.
Published on October 20, 2012 at 19:34 EDT
Older post: Book: Destination: Void (Colon)
Newer post: Windows Modern UI Usability