This question is “old like the World”, we use to say in my Country. How can we trust of a secrecy protocol or implementation that the worldwide community can’t study, test and modify? Who may assure us that the rules of the game are clear and there’s a full respect of them?
When we are going to use a closed encryption protocol or implementation for our communications we can only trust on the service. It’s like telling a secret to our best friend: we choose someone we trust and we tell him our secret but, in fact, who knows if he will respect our privacy. Maybe our best friend may approach his cousin and say: “Hey, can you keep a secret?” and obviously the answer is “Yes!”.
So all we can do is “trust”. Trust the company that provides the service or trust the world and switch to open source protocols and implementations.
Today I’ve read about the fact that WhatsApp will embed and run by default the end-to-end encryption protocol developed by Open Whisper Systems. OWS developed is OTR like protocol to be embedded in their open source applications but WhatsApp is a proprietary software and we may not have the necessary information to let the world able to make a “security and trust” assessment for the OWS WhatsApp implementation.
Are we safe? Can we trust? Who can say…
With closed source there is not only the risk of malicious backdoor implementation but also an higher risk of bug derived vulnerabilities. It’s well known, in fact, that the open source community is more able to track and patch vulnerabilities then the Cathedral… even if we have to face HeartBleed and Bash Shellshock sad events, the trend is that generally OSS is fast patched than proprietary software.
But that’s not the definitive point. Not every company is going to be open source and for some services we have to trust or simply we have to be happy that a new layer of security is added to our applicative. Everyday we use encryption protocols on our credit cards and other services that are proprietary and we trust them.
Another story is for services that live with personal collected data. For these services it’s economically impossible to implement a total encryption because they need your data to make money. This is the case of Google that implements a way to encrypt outgoing and ingoing traffic but keeping plain text data in their servers to be analyzed by their programs.
Least but not last, online encryption services, even if they release the full specifications of their security system, they will always run in their servers a software version that is not accessible to the world. They may release the source… but is it the same of the running processes on their servers? So that’s always the same story: the only parameter we have, to choose our security service (if closed source) is “trust”.