[Development] Proposal: Time to decide what security policy the Qt Project will use (not Trolltech/Nokia/Digia)

Thiago Macieira thiago.macieira at intel.com
Thu Oct 25 19:08:25 CEST 2012 

On quinta-feira, 25 de outubro de 2012 00.18.32, d3fault wrote:
> Qt has corporate roots. Responsible Disclosure has been in place since
> the Trolltech days. Corporations tend to prefer Responsible Disclosure
> because it pleases their commercial customers. Commercial entities
> like to keep their end users in the dark because vulnerabilities
> reflect poorly on the company and affect their bottom line.

Against my judgement, I'm replying to you. I'm doing that *again* only because 
this is about security. So let's get on with it.

Your characterisation above is incorrect. Corporations may have profit motives, 
and I'm not saying they don't. But your characterisation is somewhere between 
blissfully ignorant and flat-out lying and FUD: commercial entities have good 
people who make intelligent and logical decisions.

But this is not about them. This is about the Qt Project. So let's get on with 
*that*.

Note: Intel practices Responsible Disclosure, but this is not about my 
employer either.

> So for the sake of argument, let's say it has none. We should then
> compare the pros and cons of Responsible vs. Full Disclosure [0].
> 
> As of yet, no logically sound arguments (that haven't been re-butted
> by yours truly) have been presented in favor of Responsible
> Disclosure. Lots of opinions have been presented, but opinions have
> very little weight against logic. The only exception to the "no
> arguments" is script kiddies, but script kiddies are nothing compared
> to crackers. Responsible Disclosure both extends the window of
> opportunity for crackers and also increases the vulnerability's
> overall exposure... leading to more crackers finding and exploiting it
> before public disclosure.

Here are the arguments in favour of Responsible Disclosure:

While there are many zero-day exploits, assuming that all security issues are 
known to exploiters is disingenuous. What's more important in this is that the 
level of competence and resources in the exploit community varies a lot. I can 
agree that exploiters with vast resources may learn the security issues before 
the full disclosure happens, but I definitely do not agree that all exploiters 
will.

Therefore, disclosing the details to everyone is irresponsible. This enables 
attackers with little resources to gain access to details that they may 
otherwise not have found out. This increases the attack surface and compounds 
the problem.

Another argument is that disclosing too early serves little benefit. More to 
the point, disclosing the details of a security issue before a workaround or 
fix is available serves very few. There's a waterfall where we lose people upon 
the disclosure:
 - most people will not be paying attention
 - of those that are paying attention, we lose a great part because the 
   details are too technical and they are not able to comprehend them,
   not even to determine whether they are affected by the issue
 - of those that did understand the details, we also lose a great part because 
   they are unable to come up with a fix or solution for their affected systems,
   short of shutting them down completely

Let's be generous and say that 3% of the community is able to act on the 
fully-disclosed security information before a fix or workaround is published. 
That means 97% is still vulnerable, and we've just enabled low-resource 
attackers to attack.

Instead, Responsible Disclosure requests that the sensitive information be 
treated in a closed circle until a workaround or, preferably, a fix is 
available. This closed circle should publish the inoculation mechanisms as 
soon as possible, as well as the proper fix if that's the case. By releasing 
the information on how to close the vulnerability before the details of the 
attack vector, we accomplish:
 - a high signal/noise ratio on the disclosures, which should cause people to
   pay more attention
 - relevant information for the affected parties on what steps they should take 
   to protect themselves
 - little information for the attackers on how to exploit the issue

This isn't coming from just me. I've taken the time to talk to a security 
expert, who explained the details to me. That has reinforced what I already 
believed.

> I really hope we choose Full Disclosure as our security model, as it
> gives the _users_ the best opportunity to protect both themselves and
> their end-users.

I do not and my reasons are above.

-- 
Thiago Macieira - thiago.macieira (AT) intel.com
  Software Architect - Intel Open Source Technology Center
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.qt-project.org/pipermail/development/attachments/20121025/c88f7e80/attachment.sig>

More information about the Development mailing list