But is the code open source?
Notwithstanding Yubico's well-founded concerns about the use by Google of notoriously insecure Bluetooth in part of the process, I have a more fundamental question: is this system open source? I cannot think of a more fundamentally important first question to ask of any encryption/authentication scheme.
While I absolutely understand that commercial companies want to keep potentially valuable IP confidential, I don't see how anyone with serious crypto requirements (which ought to include more and more of us these days) can trust a system with closed source code at the cryptographic layer. Sure, it's fine that the radio protocols, comms drivers and other higher/transport-level stuff may be secret—in other words, any part that handles only messages which are already fully secured and therefore gibberish—but I cannot envision putting trust in closed cryptographic code. That strikes me as "Just Trust Us", if not downright crypto-by-obscurity (which any sane person should regard as worthless), and means that neither I nor anyone else can verify that the crypto is solid: not merely that it's free of mistakes, but does not, at worst, contain backdoors.
We cannot 100% trust anyone not to have been leaned on by NSA, or the Kremlin, or GCHQ. We cannot put 100% faith in crypto algorithms, crypto-chip hardware or code we haven't seen line by line, so that every expert on the planet—people straospherically beyond my level of knowledge—has had a chance to poke holes. That's not paranoia: that's a by-now age-old cast-iron and fully-hyphenated fact.
As for Google in particular: given that we hear they are disgracefully working on a version of their engine for that authoritarian, murderous, militaristic, repressive regime known as China, why, in fact, would any sane person do anything but utterly mistrust them?*¹ (I wonder how many of those noble, free-thinking, self-consciously virtuous coders at Google are refusing the bucks for this particular exercise in squalid greed ...? )
I'd like to be wrong about this ... answers on a BTL please!
*¹ "Dont' Be Evil" ... now just funny, in a dark, sick kind of way.
Biting the hand that feeds IT
