[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 716
  • Last Modified:

Is GPG4Win a suitable tool to use for company-confidential files?

I am not so concerned about the application being cracked, but am asking more from a trust perspective. Is it a sensible and reasonable security practice to entrust a companys sensitive data to a program that is developed by a loosely associated group of programmers instead of a traditional company that can be held accountable for its work?

I realize this is more of an opinion question than purely technical, but Id really appreciate your feedback on this issue.
0
bibleleagueit
Asked:
bibleleagueit
  • 2
3 Solutions
 
Roachy1979Commented:
I'm not sure about the integrity of GPG4Win as an open source project, but I would regard open source technologies (such as GnuPG on which it's based) as inherently more secure than their proprietary counterparts, due to the extensive peer review that goes on in the community - it's my experience that when security issues occur within an application they are dealt with quickly and (generally) identified pretty soon, as opposed to covered up and ignored for extended periods of time.

 
0
 
Roachy1979Commented:
As an update to that, I've just had a look and the source is freely available from the GPG4Win project.,....

Have a look at the following article on the IBM website re: peer review:

http://www.ibm.com/developerworks/linux/library/l-oss.html

The argument is that if anyone puts "anything nasty" in the source code it gets spotted.....with closed source you have to trust the company who sold you the product that their developers haven't put anything in there that shouldn't be.....


0
 
Dave HoweCommented:
There are arguments for and against the "all bugs are shallow" claim, but the real problem is that most people don't use the source themselves, they tend to use a third party binary package (gpg4win) that you have no assurance was compiled against the source that is available.

that said, I have no reason to distrust the gpg4win project - it seems a good, solid group, and I recommend it/use it myself - but as was proved in /reflections on trusting trust/ you can't even guarantee your compiler won't backdoor a binary, so pre-compiled binaries require that you trust those providing them to you - or build your own from scratch.

there is certainly no guarantee the commercial equivalent (pgp) is any less likely to have a backdoor, and possibly even more likely (given their source-disclosure licence explicitly forbids you to use code you compiled yourself, you just have to trust the code they show you is the code they compiled from)
0
 
bibleleagueitIT Technical Services ManagerAuthor Commented:
Thank you for taking the time to respond to my question. I am a big fan of experts-exchange and this experience is an example of why.
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now