74 lines
4.4 KiB
Markdown
74 lines
4.4 KiB
Markdown
+++
|
|
title = 'Why Open Source?'
|
|
date = 2026-05-12T12:00:00-00:00
|
|
lastmod = 2026-05-12T12:00:00-00:00
|
|
tags = ['open source']
|
|
[params]
|
|
author = 'Iain Learmonth'
|
|
+++
|
|
|
|
All of our development efforts at SR2 Communications are released under an open source licence.
|
|
This is often a condition of the grants that fund our work but we don't just use the licences to meet contractual
|
|
requirements. We strongly believe that open source software is the best way to approach the technical needs of
|
|
civil society organisations.
|
|
|
|
Kerckhoffs's Principle is one guiding idea in this approach.
|
|
The principle holds that a cryptosystem should be secure, even if everything about the system, except the key, is public
|
|
knowledge[^1].
|
|
Kerckhoffs's principle was later phrased by the American mathematician Claude Shannon as "the enemy knows the system".
|
|
|
|
This principle forces us to build software that would withstand a source code leak because it's already open.
|
|
We cannot hide security flaws behind obscurity.
|
|
Every algorithm, every protocol decision, every line of networking code must be robust enough for expert scrutiny.
|
|
When vulnerabilities are found, and they sometimes are, they're found by friendly researchers who report them, rather
|
|
than by adversaries who exploit them silently.
|
|
|
|
This auditability also helps us build trust.
|
|
When our code is fully auditable, users can verify exactly what our software does, and crucially, what it doesn't do.
|
|
They can confirm we're not logging their activity, not inserting backdoors, not collaborating with adversaries.
|
|
This trust is foundational.
|
|
Without it, users won't risk using our tools, and the tools become useless.
|
|
|
|
When we produce censorship circumvention tools, we are building in a context where there is already distrust.
|
|
Censorship cannot exist without surveillance.
|
|
To block content, authorities must first monitor what users are accessing.
|
|
This surveillance creates a chilling effect: even when censorship isn't actively enforced, the threat of being watched
|
|
leads to self-censorship.
|
|
Users hesitate to search for sensitive topics, search for alternative news sources, or communicate openly.
|
|
We must circumvent not only the censorship imposed technically, but the self-censorship imposed by the threat of
|
|
surveillence.
|
|
|
|
Funding for internet freedom work can be unpredictable. Grant cycles end. Priorities shift.
|
|
If a funding gap forces us to halt development, open source ensures continuity is possible.
|
|
Other organisations can pick up where we left off without needing any permission from us.
|
|
They can maintain the software, apply security patches, and keep services running for users who depend on them.
|
|
|
|
Even when funding is stable we cannot be everywhere at once.
|
|
Our team has expertise in specific regions and network conditions, but censorship takes different forms across the
|
|
world.
|
|
Deep packet inspection, for example, may be implemented differently in different regions but if we have an open source
|
|
framework for defeating it, we enable others to adapt our tools for their local contexts.
|
|
A developer in a region we've never considered can fork our repository, modify protocols to evade their specific regional
|
|
environment, and deploy it for use.
|
|
|
|
Our open approach invites contributions from a global community of security researchers, computer scientists, and
|
|
censorship measurement specialists.
|
|
These academics scrutinise our cryptography, suggest protocol improvements, and identify vulnerabilities we might have
|
|
missed.
|
|
They publish papers that advance the entire field, and we incorporate their findings back into our codebase.
|
|
This virtuous cycle makes our tools stronger than any closed-source alternative could be.
|
|
|
|
We see open source as a strategic necessity.
|
|
It builds user trust in an environment of surveillance and self-censorship.
|
|
It multiplies our impact through decentralised adaptation.
|
|
It harnesses global expertise for continuous improvement.
|
|
It enforces genuine security that withstands scrutiny.
|
|
And it ensures our mission endures, regardless of what happens to our organisation.
|
|
|
|
The code we write today may outlast us. That's by design.
|
|
|
|
[^1]: Kerckhoff described a number of design rules for military ciphers in 1883, and there is another principle that we
|
|
also strongly agree with (translated from
|
|
[the original French text](https://petitcolas.net/kerckhoffs/crypto_militaire_1.pdf)): "given the circumstances in which
|
|
it is to be used, the system must be easy to use and should not be stressful to use or require its users to know and
|
|
comply with a long list of rules".
|