In this case I was mostly referring to the inclusion of certificate pinning (ex: https://github.com/moxie0/AndroidPinning) in the mobile apps, which would theoretically prevent them from using a UAE or Saudi controlled CA to do the interception. In addition to iOS and Android, we also refused to compromise with low-end platforms like MediaTek, and made sure those clients were also all-TLS and that they employed certificate pinning. We also did common sense stuff like including assertions in all the platforms that would prevent accidental HTTP leakage.
More generally, a lot of common sense effort was put into the general TLS posture of the website. From certificate pinning baked into the browsers, to HSTS headers, to making sure the links in search results are https.
There was a bunch of generally nice TLS stuff in the pipe as well, but I'm not sure if it shipped yet.
If you really want the world to be a more secure place, can I please ask that you relicense the AndroidPinning code as BSD or something less viral than GPLv3?
I don't see Instagram, Facebook, etc. using that code to secure their apps, they won't license their Android clients as GPLv3 just to use the Android pinning library. While it is easy enough to re-create your code (though I have not looked at it), given that we're talking encryption libs, it's always nicest to have secure, vetted libs that just work.
(As a matter of fact, I'm sure you had to relicense it for Twitter to use it in their app.)
>Please contact me if this license doesn't work for you.
I see no reason why Moxie should give Facebook and Instagram this valuable feature for free. When did open-source hackers become the unpaid laborers for silicon valley?
If they want it, they can either release the source code for their applications and liberate their users, or they can pay (hopefully) through the nose for it. Maybe that'll buy a few more months of TextSecure development, or whatever other cool things Moxie is doing now.
Facebook or Instagram will just reimplement it themselves if they care. Smaller developers will just remain insecure. GPLv3 harms adoption of something like this.
Not that simple, you have often stated that normal programmers shouldn't be near security and now you are stating that they should go implement something that is specifically to enhance the security of the web.
The gp isn't asking for a change of license because he hate the GPL, he is (properly correctly) predicting what will happen if that license isn't changed: specifically, the thing that Moxie is trying to prevent won't be.
We live in a world where if the cost of too high for something like this, it will be written off as unnecessary. Unless there is someone really pushing this from within, Facebook/Instagram/etc probably won't implement something like this, or will just create their own (possibly poor) substitute.
I get the idea that people should be paid for their work, and it's his choice how he licenses it. On there other hand, if the point is to make sure this spreads as far as possible and gets used everywhere, then maybe a very permissive license is called for.
If he hadn't taken the time to publish this code, you wouldn't have even known to try to zing him for using the "wrong" license. Perhaps the most rational solution for people like Moxie would simply be to never publish their code, and simply continue to write forcefully and effectively about technical controls and privacy.
Then they wouldn't have to jump through silly hoops to prove whether they "really want the world to be a more secure place".
Or, how about this: if you really want the world to be a more secure place, why don't you take the time to learn how to implement certificate pinning for Android apps and publish your own MIT-licensed implementation? I'm sure Moxie would join the rest of us in cheering you on.
You don't have to be such an ass. I asked nicely enough.
I fully acknowledge Moxie is better at security than I ever will even dream of being. I just hoped he might see the value in releasing it under a more-amicable license. I don't have the numbers, but more-liberal licenses are by a wide margin the choice for open-source crypto.
I'm not speaking from the armchair, I've released open-source code under BSD/MIT myself. I don't have Moxie's skill for security, is it so wrong to point out the obstacle the license represents? He did release it to help secure the web, did he not? Why don't you let him reply.
Basically all of the software that I write for projects like this is GPL by default, but I generally include a note (as in this case) that developers should contact me if the license doesn't work for them.
I find this to be a good balance: those who wish to take my work and openly contribute their own work are free to do so, and those that don't need to contact the copyright holder. I don't think it's a lot to ask in this case, and I definitely don't think that licensing issues are what's holding back internet security here or otherwise.
I hardly think that calling moxie's choice of license "viral" and questioning whether he "really wants the world to be a more secure place" is asking "nicely enough".
religous wars aside i also would like to hear from one of the cryptography gods about licensing cryptography software since ComputerGuru does have a good point when talking about software such as openssh
There's more value in forcing vendors to work with Free Software licenses than in compromising the ideals of open source to allow vendors to benefit without contributing back.
You should be asking yourself how you can change your project so that GPL3 licensed code will be acceptable, rather than asking others to relicense their code.
Not to mention, you can't really force them to do anything: they'll just avoid the GPL code, create it themselves, or find something similar under another license.
Isn't it amazing how people come out of the woodwork to point out the force inherent in the GPL never say "oh, by the way, thanks for publishing a reference spec I'm free to use to develop my own code."
As Thomas said, people would be less bitchy, and less holier-than-thou (cough), had Moxie not written any code, or written it and charged an arm and a leg for it.
It's sort of what patio11 talks about. The cheaper the service, the worse the people treat you.
> You don't have to be such an ass. I asked nicely enough.
No, not really. Would you have asked the creator of a closed source crypto library to give it away?
I used to agree with you, that security software should be BSDLed to encourage use, but now I see it just encourages more low-end closed-source software.
If that software was open, users could know what they were using and could with work really be safe. But by trusting a closed source app, especially one that can't afford anything for security, they'll never be secure (see this article for proof) and thus are worse off than if they're knowingly only partially secure.
It sounds rough, but better the mob steal some money because you used an insecure app, causing you learn and audit your security requirements, than for you to feel secure until someone shows up and shoots you.
Fully agree. Securing an application is just part of the overhead of creating it. To expect people to hand these bits and pieces out seems a bit overboard, if not somewhat entitled. This stuff costs time, money, and effort to make. The author released it under GPL3. If you can't afford to shell out for it, you can use the code to reroll your own. There's plenty of documentation on the topic as well.
Agreed. The onus shouldn't just be on Moxie. We could easily flip the question around. Why not put the onus on the company's mentioned. Why don't Facebook and Instagram relicence their code as GPL to be compatible. Do they not want the Web to be safe? Will they put "not having a GPL app" before "our users are safe"? Etc etc
> I don't see Instagram, Facebook, etc. using that code to secure their apps, they won't license their Android clients as GPLv3
They might license the code under a non-exclusive license with different terms. I.e. the copyright holder is free to license the same source code under various licenses.
So, e.g. I could license some code to the community under GPL, but I could also license it closed-source to a corp for a fee.
More generally, a lot of common sense effort was put into the general TLS posture of the website. From certificate pinning baked into the browsers, to HSTS headers, to making sure the links in search results are https.
There was a bunch of generally nice TLS stuff in the pipe as well, but I'm not sure if it shipped yet.