[trustable-software] Software that is not trustable

Dan Shearer dan at shearer.org
Mon Apr 1 09:41:20 BST 2019 

This technical list has been debating what trustable software is. It
is much easier to agree of what makes software untrustable, and work
back from there.

I suggest listing some things that make software definitely not
trustable. I don't mean dubious, but absolutely definitely not to be
trusted. This is like the concept of never events in medicine, such as
this list by the NHS which includes handy tips such as "don't amputate
the wrong limb"
https://improvement.nhs.uk/documents/2266/Never_Events_list_2018_FINAL_v5.pdf
.

Some examples across many categories that are supported by the facts
of mathematics, computer science or law are:

* Servers that requires the use of known-insecure ciphers and security
exchanges, such as RC4, SSL, TLS 1.0 and so on. In 2016 all the major
browsers deprecated RC4 connections (
https://www.digicert.com/blog/major-browsers-announce-rc4-deprecation/
). RC4-only web servers are not trustable software.
* Software that silently allows man-in-the-middle attacks. This
includes many SMTP servers that fail open to clear text on
communications with no active alert to either end and at most a note
in the envelope headers or log files. These SMTP servers are not
trustable software.
* Applications with outstanding severe CVEs against them. About 32% of
all websites on the IPv4 internet are Wordpress, and Wordpress has had
a large number of security problems. Any version of Wordpress on the
internet without outstanding severe CVEs is not trustable software.
(This is not a judgement as to whether Wordpress is trustable
software, just an example of software that is most definitely not
trustable.)
* Adobe Flash Player is not trustable software. With 1070 CVEs, many
of them severe, and eventually deprecated by Adobe itself, Flash
should not be used anywhere by anyone connected to the internet:
https://www.cvedetails.com/vulnerability-list/vendor_id-53/product_id-6761/Adobe-Flash-Player.html
.

This isn't a novel idea. Clearly it isn't helpful to write a long list
of things that are untrustable, but listing the categories with
examples and exceptions is helpful.

Therefore I think the "What is Trustable Software?" debate is should
look at negative cases, and specific facts. A partial list of sources
that can indicate software is untrustable:

* Facts of cryptography
* EU privacy law
* CVE entries (but only some CVEs)
* Facts of computer science as applied to source code in github
* Statements by commercial software makers, backed by other evidence
* Edward Snowden documentation

All need supported by specific evidence, but they are a good start. If
several of them agree the case is very strong.

--
Dan Shearer
dan at shearer.org

More information about the trustable-software mailing list