On Wed, 6 Dec 2017 15:46:57 -0600, VanguardLH wrote:
Except that VeraCrypt, in its open-source nature, guarantees that it
is devoid of backdoors whereas BitLocker can make no such promise by
being a proprietary product.
Being open sourced doesn't guarantee no malicious intent. Unless the
code is audited, no one knows the safety of an open source program.
Veracrypt WAS vulnerable despite being an open source program. Because
it was open source meant someone else could review the code. Some
vulnerabilities were cound in Veracrypt. See:
8 Critical Vulnerabilities
3 Medium Vulnerabilities
15 Low or Informational Vulnerabilities / Concerns
Looks like 7 of the 26 issues were addressed by Veracrypt. Unsure how
many more got addressed by "for other vulnerabilities that can be closed
by user practices". Compression got addressed by replacing with
different libs but those libs were not part of the code audit.
Being proprietary doesn't mean a program is less secure than an open
sourced counterpart. The audit found problems in Veracrypt. So how
many open sourced programs actually get audited? Has there been a code
audit of LibreOffice? Gimp? Auditing the source code does not mandate
that was the code used when compiling a distributed executable. Rare
few users compile the source code. Instead they pick up the exectuable.
Show 'em this. Deliver 'em that. Ever seen a code audit that
disassembles Veracrypt to audit that code?
Open source isn't safer. It's just *available* for public review, not
that it ever got independently reviewed. You have to assume the source
that is open for public review was also the source used to compile the
Great points and thank you for that.