From the creation of the Android mobile operating system(new window) to powering the first interplanetary helicopter(new window), open-source projects have been critical to the development of new technologies. In a recent survey of enterprise developers(new window), 85% already use open-source code in their organizations, and over 90% will continue adopting open-source projects and technologies.
As open-source projects continue gaining traction, it is beneficial to understand how you can leverage the advantages of open source for better privacy and security. This article looks at what open source is, debunks the myths of open source, and explains why open source is good for encryption and your privacy.
What is open source?
Open source, sometimes referred to as open-source software, is the name for code that is available for anyone to modify and share in its original and modified forms. It enables developers to share their work without the restrictions of a proprietary license.
The open-source movement encourages the development of high-quality software by tapping into the creativity and enthusiasm of a global community of developers. Based on collaborative development, many well-known and widely used software solutions have emerged from open source, including the Apache HTTP server(new window) and the Linux operating system(new window).
Another goal of open-source projects is to promote rapid innovation in software development. Innovation thrives in an environment where users and developers are free to work together on projects and synthesize great ideas. In other words, making software open source democratizes the development process and drives down costs.
Debunking myths about open source
Although the open-source movement has been around for several decades, it’s still plagued by misconceptions. Here are the top three:
Myth one: Open-source software is less secure than proprietary software
Proprietary software is often believed to be more secure than open-source software, though this is not always the case. Besides lowered costs and increased flexibility, open-source projects are more transparent about vulnerabilities as the source code is publicly accessible. Due to its open nature, anyone in the community can detect and resolve security flaws before they pose a serious threat.
You can also review the code yourself, make modifications, and even release a custom version of the software. Open-source projects allow anyone with the technical expertise to fix broken code, whereas only the vendor or company can examine and update proprietary software. As a result, open-source software is often more reliable and secure than proprietary software.
Myth two: Open-source software is bad quality
Though anyone can modify open-source projects, this does not mean that all submitted modifications are accepted. In fact, most open-source projects use a workflow where a lead developer or a group of developers must sign off on all changes made to the code. Many open-source projects experience the same quality assurance checks as proprietary projects do — they undergo code review, testing, and adhere to consistent guidelines(new window).
Myth three: Open-source software provides less technical support than proprietary software
Open-source projects are surrounded by vibrant communities of developers and volunteers that share a collective interest in creating a high-quality product. The larger the community, the more likely you are to find solutions for an issue you’re facing. Most open-source projects have dedicated forums where users can post questions and troubleshoot bugs through crowdsourcing.
When a project is open source, you can also look at the version history to get an idea of the time required to resolve a bug and receive an update. In addition, many tech companies like Netflix(new window) and Adobe(new window) use open-source code in their projects, which guarantees continued support for big open-source ventures.
Why open source is good for encryption
Governments, businesses, and individuals rely on end-to-end encryption(new window) (E2EE) to safeguard their digital communications and data from theft or unauthorized access.
E2EE is a secure method of encoding data so that only authorized parties can decrypt(new window) the information with a private key. Since the purpose of E2EE is to keep sensitive information private (such as your financial data or medical records(new window)), it seems counterintuitive to open up its source code for everyone to scrutinize.
However, the effectiveness of E2EE does not depend on the secrecy of its algorithm but the secrecy of the keys. Even if an attacker perfectly understands the implementation of E2EE in an application, they would not be able to hack into your account unless they also knew your private key.
On the contrary, by opening up the source code, anyone can directly verify that the encryption features are implemented correctly. Instead of operating on blind trust, you can examine the code to ensure that there are no backdoors built in. You can even hire third-party security firms to conduct independent audits.
Open-source encryption enables individuals, experienced developers, and cryptography experts to learn what algorithms are employed, how they work, and point out potential flaws and vulnerabilities. This transparency makes it possible to quickly resolve bugs and independently assess the security of an application, which in turn leads to better privacy.
How Proton Mail’s open-source encryption protects your privacy
We developed Proton products and services with the principles outlined above — all of our apps are fully open source and built with end-to-end encryption. We believe in being transparent with our community and giving them a choice in how their data and privacy are handled.
Since the beginning, we have been strong advocates(new window) for open-source software, and you can find our source code for all our apps on GitHub(new window). We maintain two popular open-source encryption libraries, OpenPGP.js(new window) and GopenPGP(new window).
We also hire third-party firms to conduct independent audits of our apps and share the results so that you can read an expert’s assessment of our service’s security.
Recently, we released an audit report(new window) for the new Proton Mail, which was found to be secure and robust. This audit report provides additional certainty that Proton Mail’s end-to-end encryption protects everyone who uses our service as intended. We also performed security audits for Proton VPN(new window) on all supported platforms, including Android, iOS, macOS, and Windows. If you believe in open-source encryption and would like to support our efforts in building privacy-focused products, you can sign up for a free email account(new window).
Encryption refers to the process of encoding information so that it can only be read by authorized parties. When you make encryption “open source”, you are making its source code and algorithms available to the public for inspection. This means that anyone can review the code and check for vulnerabilities. Because more people are able to examine the code and propose fixes, this makes it more likely that vulnerabilities will be swiftly reported and resolved, resulting in a more secure product.
Encryption, especially end-to-end encryption, protects your privacy by converting sensitive information into indecipherable text. Only your intended recipient can decode this information with a private key. Without access to this private key, it is impossible for a hacker to steal your data unless they also have physical access to the device where your private key is stored. As such, end-to-end encryption ensures that your privacy is protected at the highest level.
Open-source encryption can be used in a variety of applications, from password managers(new window) to email providers. As the world’s largest encrypted email service, Proton Mail provides one of the best open-source email encryption on the market. We use a combination of TLS, zero-access encryption, and end-to-end encryption to secure your emails(new window). All of our code is open source and available on GitHub(new window).