News and views from a software developer's perspective
Thursday, October 31, 2002While getting involved in some SSL/TLS programming in recent days, I have been wondering about real versus perceived threats to secure communication. Read any of the articles and books about secure communications, and you hear of many possible threats, some actually quite intricate. These books and articles rarely put threats into perspective. Here are a few examples of threats:
- short key length of DES makes it "easy" to crack
- insufficiently random data
- possibility of finding two strings that hash to the same value
- a "man in the middle" causes communicating parties to negotiate down to a weaker algorithm
These are all threats, to be sure. But how much of a threat? How do these compare to the threat that a private key is compromised and the CRL is not distributed in time to stop the damage? Or the threat that someone falsely impersonates an organization to the Certification Authority to get a certificate? (like someone impersonated Microsoft not too long ago)
Yahoo says it will start using PHP for scripting its web pages. It will deep-six its own proprietary web scripting language, called yScript. [CNET News.com]
PHP is a very good web scripting language.
But what about other proprietary scripting languages, like Cold Fusion. Isn't Macromedia supposed to make money selling large Cold Fusion licenses to big companies like Yahoo? Or do they just sell large licenses to financial institutions and other organizations that seem to commonly choose expensive proprietary solutions (for some inexplainable reason). I can't see why anyone would buy a license for Cold Fusion, when PHP is equally good, if not better, and free. This can't be good news for Macromedia. Eventually, there will be a time when even the financial institutions will stop paying for Cold Fusion.
There's a lesson to be learned. If you are in the software business, you must pay attention to Open Source software. Depending on the products you sell, it's possible that one day in the not-so-distant future, you will be unable to sell your products because of an Open Source alternative.