Why Open Source Matters For Sensitive Email

Jason Baker writes Can you really trust your email provider? And even if you self-host your email server, can you really trust its security if you can't see the code? Over on Opensource.com, Olivier Thierry makes three cases for using open source to power your email solution: The power of numbers, the value of trust, and the importance of leverage.

Open Source not a silver bullet

[i+work+on+computers]

We've seen over the last year many open source, power in numbers projects have critical vulnerabilities waiting to be exposed. Those defects were sitting there for years, yet being open source didn't magically fix them. I use many open source tools, but I've never inspected the code myself. Even if I did, I'm not going to be finding these hard-to-find defects that the people in the project can't find. I'm not going to implicitly trust an open source project just because it's open source. How do I know who's really contributing? At least if Apple is doing something naught with my iCloud email, at least in theory I can join a class action lawsuit and get a free download from iTunes. If the NSA is inserting nefarious code into an SSL project, there's really no recourse for action. Over the last year, I've learned that the key to internet security is that it doesn't exist. If there's something that really so sensitive, maybe you shouldn't email it.

Stupid article is stupid

Open source is a source licensing model. It has no magic powers for creating secure solutions to anything.

Stupid headline: Why open source matters for sensitive email
Stupid headline: Why closed-source matters for sensitive email
Smart headline: Why security matters for sensitive email

Code audits for security defects can happen regardless of source licensing model.
Coders authoring a service, no matter how security conscious, and no matter how many eyeballs they have, will likely miss many exploitable defects.