You know, the safest software is the one you, the competent and thorough programmer, write yourself.

You frankly can't trust, say, a password manager that claims to have end-to-end encryption unless you inspected and understood every line of source code and compiled that source code yourself.

If you do not do that, you are taking it on faith.

For example, I'm taking the security of Bitwarden on faith, and frankly, it's not good enough, but I'm not willing to put in more effort.

@thor

> You know, the safest software is the one you, the competent and thorough programmer, write yourself.

Strong disagree.

Even if you're the most competent and thorough programmer in the world, your code isn't as trustworthy as open-source code that's been looked at by hundreds of competent programmers.

The safest program is one written by someone you trust (maybe you), reviewed by many others, and tested by years of production use.

tldr, don't roll your own crypto

@codesections Ah, but if you wrote it on your own, it's far less likely that there are known exploits, since your program is so obscure.

@thor

> Ah, but if you wrote it on your own, it's far less likely that there are known exploits, since your program is so obscure.

(At this point, I *think* you're messing with me, but I'll respond as though you aren't; this goes for other toots in this thread too :D)

Yeah, but then you're relying on security through obscurity, which is never a reliable defense. (It *can* work, at least for a while, but it's not something I'd ever want to count on)

@codesections

Here's an analogy...

No single security feature of a safe makes it impermeable to someone breaking it.

All safes can be broken. Safes are graded on the time and effort it takes.

Same applies to software.

I would say it's highly dependent on context, on your testing setup, on whether your software is exposed to the public Internet or only speaks over a VPN, etc.

Follow

@codesections One huge benefit of software you wrote yourself is that you can eliminate every feature you don't personally need, and this reduces the attack surface.

Β· Web Β· 1 Β· 1 Β· 3

@codesections Many pre-made solutions are very complex and consist of enormous amounts of code that no single person can understand fully.

@thor

> Many pre-made solutions are very complex and consist of enormous amounts of code that no single person can understand fully.

Agreed with this 100% too. Which, incidentally, is why I currently use #pass (passwordstore.org/). I trust a bash script I can read over something like Bitwarden.

Somewhat ironically, given our current exchange, I even rely on a password generator I built myself (github.com/codesections/pass-g), for similar reasons to what you've argued for

Sign in to participate in the conversation
Mastodon

Discover & explore Mastodon with no ads and no surveillance. Publish anything you want on Mastodon: links, pictures, text, audio & video.