The reason I have trouble trusting closed-source crypto is that users don't know when it fails, so they can't judge good from bad. Companies that write closed source crypto exist to make money, and there's good money in backdooring your system for the government. Users are happy (since they don't know), the government is happy (since they get the information), and the company is happy (since it's making money on both sides of the deal). In short: the incentives simply don't align in favor of the user.
Weren't there allegations precisely to this effect that RSA took millions from the government to make Dual_EC_DRBG the default in BSafe? I don't know if it's true, but the fact that it's plausible is a problem for me.
Your suggestion here is that users do know when open-source crypto fails? They manifestly, obviously do not.
It turns out, the kinds of people who are qualified to detect when open-source crypto fails tend also to have the means of detecting failures in closed-source crypto.
The problem with discussions about closed-source crypto is that a whole giant cohort of participants mythologize closed-source code. They imbue it with all sorts of magic powers and handwave away arguments by suggesting that the code is itself unknowable. But nobody who really works in my industry engages with code that way. Nothing Microsoft ships is unknowable. No company on Earth is more scrupulously and aggressively reverse engineered than Microsoft's.
Unfortunately, there's lag in learning about crypto failures in Microsoft's code, and it's the exact same lag as we experience for open-source software. It comes of people not actually understanding a fucking thing about how crypto actually works, and it's a problem not just for generalist engineers but for software security experts as well.
Aside: I've been working through cryptopals over the weekend and I'm enjoying it immensely. Thanks!
I completely agree that both open- and closed-source crypto can fail in ways users do not detect.
The gist of the point I was attempting to make was that the incentives for open-source projects are often ideological, rather than monetary, which reduces the incentive for authors to incorporate weaknesses in exchange for money.
I think the incentive problems with commercial providers are misconstrued; the market --- at least to sophisticated buyers --- is unkind to people who sell their trustworthiness. So commercial providers in fact do have a lot to lose.
To the extent that open source has an edge over commercial software in motivation and ideology, it's cancelled out by the immaturity of the code itself. Cryptography is extraordinarily unforgiving.
The reason I have trouble trusting closed-source crypto is that users don't know when it fails, so they can't judge good from bad. Companies that write closed source crypto exist to make money, and there's good money in backdooring your system for the government. Users are happy (since they don't know), the government is happy (since they get the information), and the company is happy (since it's making money on both sides of the deal). In short: the incentives simply don't align in favor of the user.
Weren't there allegations precisely to this effect that RSA took millions from the government to make Dual_EC_DRBG the default in BSafe? I don't know if it's true, but the fact that it's plausible is a problem for me.