It depends on your threat model. All else being equal, using a less known OS can even be safer. A popular OS will have many people motivated to dedicate time to find flaws and thus, will have many more known vulnerabilities plus a number of holes that are not disclosed by the reearchers. If vulnerabilities are already found, automating attacks becomes cheap. That means that you can end up being pawned even if no one was targetting you specifically.
While automating attacks using known vulnerabilites is cheap, finding new vulnerabilities is expensive because it requires expertise that is rare and well paid. So if you are using some niche OS that no one knows, you are only in risk if your threat model includes motivated people with resources being focused on you. If this is not the case, it is not too hard to find a handful of OS who never had a single remote hole found in the default install since forever. Popularity aside, it pays to take your time to understand why it is harder to find new security flaws on OpenBSD than on your average OS. Understanding the concept of attack surface could be a good start. Em Mon, 2022-03-14 às 21:31 +0100, i...@tutanota.com escreveu: > Billions of companies world wide use the Linux kernel and several of > the major Linux distributions daily. It would stand to reason that > that > would make a lot more bugs be discovered. > > The OpenBSD project can have the best coding practice, the best > handle > on security mitigations, the best default options, but if very few > companies worldwide use the system, then it's not very battle-tested. > > The famous old message on the website has been removed, but the "Only > two remote holes in the default install, in a heck of a long time!" > is > maybe because "no one" is using the system in production except very > few. > > How much does battle-testing matter? > > Kind regards. >
