Trusting open code: The incident also underscores a familiar trade-off. Open-source libraries such as OpenPGP.js are widely used because they offer transparency, broad adoption, and the advantages of community input and peer review.But trusting open source libraries also means inheriting any flaws they might have, even subtle ones, that can go unnoticed for years.”This vulnerability shows that even well-established crypto libraries can contain dangerous bugs, especially in edge cases,” Grover said. “The risk is even greater when you consider supply chain threats where there have been increasing concerns about malicious actors, including state-sponsored groups, attempting to inject or maintain backdoors in widely used libraries.”Privacy-focused services should not rely solely on open-source tools, but also invest in regular code audits, threat modelling, and thorough testing against both common and advanced attack techniques, Grover said.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3992088/critical-flaw-in-openpgp-js-raises-alarms-for-encrypted-email-services.html
