Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

cancel ×

105 comments

First post, shitheads! (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#31661844)

yeah!!

You insensitice clod... (5, Funny)

comm2k (961394) | more than 4 years ago | (#31661864)

I'm running Debian stable so it'll be another 10 years until it hits the repos.

Re:You insensitice clod... (1, Informative)

Anonymous Coward | more than 4 years ago | (#31661910)

insensitice

You insensitive clod! My eyes hurt from reading that misspelling!

Re:You insensitice clod... (1)

stovicek (1768794) | more than 4 years ago | (#31661954)

Let's hope they have better idea of how to configure it this time. No more blacklists, please.

Re:You insensitice clod... (2, Insightful)

Lunix Nutcase (1092239) | more than 4 years ago | (#31662044)

Or monkeying with the random number generator.

Re:You insensitice clod... (3, Insightful)

Cyclops (1852) | more than 4 years ago | (#31662194)

Or monkeying with the random number generator.

After being ignored by arrogant dolts who didn't bother to correct him and guide into providing a better fix.

Re:You insensitice clod... (2, Insightful)

Lunix Nutcase (1092239) | more than 4 years ago | (#31662236)

Then if you neither understand the code nor understand the effects your changes make to the code, you don't make the change. The fault squarely lies with the idiot monkeying around in places he shouldn't have.

Re:You insensitice clod... (0)

Anonymous Coward | more than 4 years ago | (#31662950)

We're forbidden to use Debian (or any derivatives) for production servers now. That bug really hurt.

Re:You insensitice clod... (0, Flamebait)

JackieBrown (987087) | more than 4 years ago | (#31667962)

Not going for flaimbait but I guess you also forbid Ubuntu as well?

And security bugs caused you to drop OS's, I am sure you dropped Windows as well.

Actually, what do you allow for production servers? I guess it is a BSD only enviroment - assuming they have never had any security bugs.

Or do the other linux distrubtions hold a perfect secrity bug track record now?

Re:You insensitice clod... (1)

darkpixel2k (623900) | more than 4 years ago | (#31665064)

Then if you neither understand the code nor understand the effects your changes make to the code, you don't make the change. The fault squarely lies with the idiot monkeying around in places he shouldn't have.

Or maybe it lies with the idiots that gave someone who doesn't understand the code or the changes commit access...

Re:You insensitice clod... (4, Informative)

Al Dimond (792444) | more than 4 years ago | (#31665554)

I'm pretty sure the only place the changes were committed was Debian patch repos. The whole thing is pretty much Debian-specific.

I think you're trying to make a larger point, so I'll make a larger semi-rebuttal. If projects only gave commit access to people that understood the whole code base they'd never get anything done. Developers with the power to commit, whether to Debian's repository or upstream, should be aware of which code they understand. They should ask questions when they don't understand something, and they shouldn't commit it until they understand the consequences.

I have commit access for Audacity and there are many parts of the program I don't know very well. That's how I operate. Anyone committing changes to OpenSSL ought to at least be as careful as I am with Audacity. I'm sure the actual OpenSSL project is a lot less permissive about giving access to their own repositories, and they probably review changes more closely.

Debian seems to carry a lot of patches against a lot of programs and doesn't seem to ensure the same level of quality. At the same time, Debian has more resources for bug tracking and user reporting than many projects, and maintains security backports for projects that are unwilling. It's a bit of a mixed bag.

Re:You insensitice clod... (1)

darkpixel2k (623900) | more than 4 years ago | (#31666374)

I think you're trying to make a larger point, so I'll make a larger semi-rebuttal. If projects only gave commit access to people that understood the whole code base they'd never get anything done.

Sorry--I should have worded that better. They should only give access to people who either understand the whole codebase or know their limitations and won't mess with things they don't understand.

I have commit access for Audacity

Thank you for helping with a great program. I use it weekly to convert audio files from my boss for use in Asterisk. (And also making the occasional ringtone for my phone...) ;)

1.0.0 (4, Funny)

pushing-robot (1037830) | more than 4 years ago | (#31661902)

Meh. I never run version 1.0 of anything.

Re:1.0.0 (0)

Anonymous Coward | more than 4 years ago | (#31662038)

If you like Apple, you run version 2.0 or get burnt trying.

If you like MS, you run version 3.1 or get burnt trying.

If you like FLOSS, you get burnt compiling version 0.2 on Gentoo stick to the 10 year old 0.1 branch on Debian.

Or, maybe Windows 10 will be okay. (0)

Anonymous Coward | more than 4 years ago | (#31667120)

"If you like MS, you run version 3.1 or get burnt trying."

If you like MS, you ... get burnt.

Re:Or, maybe Windows 10 will be okay. (2, Funny)

Pharmboy (216950) | more than 4 years ago | (#31669160)

On the up side, it only takes one mouse click and a pop up that says "Are you sure you want to get burnt?" to do so.

Geee! (4, Informative)

Philip K Dickhead (906971) | more than 4 years ago | (#31661916)

Just in time for commonplace MiTM spoofing.

That little lock on your browser window indicating you are communicating securely with your bank or e-mail account may not always mean what you think its means.

Normally when a user visits a secure website, such as Bank of America, Gmail, PayPal or eBay, the browser examines the website's certificate to verify its authenticity.

At a recent wiretapping convention, however, security researcher Chris Soghoian discovered that a small company was marketing internet spying boxes to the feds. The boxes were designed to intercept those communications -- without breaking the encryption -- by using forged security certificates, instead of the real ones that websites use to verify secure connections. To use the appliance, the government would need to acquire a forged certificate from any one of more than 100 trusted Certificate Authorities.

The attack is a classic man-in-the-middle attack, where Alice thinks she is talking directly to Bob, but instead Mallory found a way to get in the middle and pass the messages back and forth without Alice or Bob knowing she was there.

The existence of a marketed product indicates the vulnerability is likely being exploited by more than just information-hungry governments, according to leading encryption expert Matt Blaze, a computer science professor at University of Pennsylvania.

"If the company is selling this to law enforcement and the intelligence community, it is not that large a leap to conclude that other, more malicious people have worked out the details of how to exploit this," Blaze said.

http://www.wired.com/threatlevel/2010/03/packet-forensics/ [wired.com]

Banks etc. should publish certs offline Re:Geee! (1)

davidwr (791652) | more than 4 years ago | (#31662108)

Easy enough to get around for in-person banks: Have them post their credentials on the walls of their buildings and have a take-home flyer with the same information printed on it.

This won't work for Internet banking and it will cause issues if the bank itself ever changes keys, but barring that it should work. Of course, this assume people who care enough to check.

On a more practical note, web browsers that keep local copies of credentials or at least credential-digests then alert when one changes will provide some protection. However, that won't help me if I'm under surveillance and the feds are playing man-in-the-middle with my Internet banking AND when I call the bank's phone number: If an FBI agent acting as a phone teller says "Yes, sorry about that, some Chinese hacker stole our key, yes, the new key is legit," I'm not likely to drive down to my nearest branch - which may be halfway across the country - to check it out.

Re:Banks etc. should publish certs offline Re:Geee (1)

ppanon (16583) | more than 4 years ago | (#31665276)

The feds don`t need to do mitm between you and your bank. If they want to go to the trouble of checking your banking activity, they probably have enough evidence to get a search warrant from a judge. It`s your common communications like phone and e-mail that the police want to be able to snoop on without the hassle of a court order. The feds get a copy of major money movements from the domestic banks anyways, and they can figure out how much you have from the interest statements transmitted to the tax collection branch of government. Foreign banks in tax havens are admittedly a different matter, but that isn't a concern for most of the population.

The people that want to do mitm attacks between you and your (domestic or foreign) bank are the criminals that want to pilfer your accounts.

Re:Banks etc. should publish certs offline Re:Geee (1)

spazdor (902907) | more than 4 years ago | (#31666540)

If they want to go to the trouble of checking your banking activity, they probably have enough evidence to get a search warrant from a judge.

This is the important bit, and we don't want it to change. if SSL wiretapping is practicable for the cops, there is now a possibility that it could change.

Which would suck.

Re:Geee! (3, Interesting)

Enleth (947766) | more than 4 years ago | (#31662256)

The issue is the one of encryption vs. authentication vs. both at the same time, and the fact that SSL/TLS was designed to provide both at the same time only, without any sane way to provide just one of those things at a time, as opposed to, e.g., PGP.

I'm no cryptographer, just a part-time server administrator (and other things too, but this is irrelevant), but my experience, together with plain, old common sense tells me that things would be much easier for both administrators and security guys (is there a proper name for them?) if the concepts of data encryption on the wire and authentication of the other party were separated both in protocol and implementation. Besides the obvious benefit of being able to encrypt the connection without those silly, cartel-provided certificates (even without indicating anything at all to the user, so they don't get a false sense of having more security in place than there is, default encryption of the most popular protocols would do much to thwart all but the most determined wiretapping and eavesdropping attempts), such a separation into two distinct technologies should make it a lot harder to break both things at the same time, and a lot easier to fix any single one of them that someone managed to break without affecting the other.

Of course I could be wrong, and even if I'm not, there's too much inertia in technology and too much money in the SLL certificate cartels for anything to change in this direction, but at least I still have my right to rant a little bit.

Re:Geee! (4, Informative)

rmm4pi8 (680224) | more than 4 years ago | (#31662718)

I'm sorry to say it, but if you want privacy, this is wrong. You can have authentication without encryption (digital signatures) but encryption without authentication = Man in the Middle. PGP and SSH don't get around this in any way, shape, or form--they just seed trust differently, with PGP using the web-of-trust model and SSH a repeatability model. Neither of those work very well for the classic "online banking" use case, however--average users are not going to seed their trust webs, and expect to be able to bank from computers at cafes, work, and friends' houses--none of which would have connected previously, making the SSH model unworkable.

That's not to say there's nothing here--extensions to the SSL model like EV certs, DNSSEC, and phishing databases have all made these attacks harder. Perhaps browsers will implement web-of-trust or trust-history type extensions to make it harder yet. And it may well be the case that you simply cannot safely bank at computers you don't own, though with pre-shared keys and time-generated PINs both embedded into mailed fobs, the possibilities open up enormously as long as the execution is correct.

But at the end of the day there's no true privacy without authentication built-in and for the core e-commerce use case, SSL is probably the best model.

Re:Geee! (1)

JesseMcDonald (536341) | more than 4 years ago | (#31663370)

expect to be able to bank from computers at cafes, work, and friends' houses

From a security point-of-view this expectation is frightening. Using their own trusted computer on an untrusted network, sure—that's what TLS was designed for. Using an untrusted client computer, however, is just asking for trouble in the form of keyloggers, malware, insecure settings (are you sure they didn't enter an exception for that invalid certificate?), etc.

As far as that goes, the prevalence of malware in general should make anyone think twice about online banking, even from their own PC. Remember, any program on your computer can pretend to be you as long as you're logged in to your online banking site. Someone even wrote a virus/trojan to this effect directed against e-Gold (back when they were still active), and there's no reason it wouldn't work just as well against any other site. There is very little you can do, short of self-contained hardware authentication for each transaction, to protect against this sort of local attack.

Re:Geee! (1)

hitmark (640295) | more than 4 years ago | (#31667972)

security token keyfobs a option?

Re:Geee! (1)

JesseMcDonald (536341) | more than 3 years ago | (#31674482)

security token keyfobs a option?

These can help protect against keyloggers and the like; once you've logged out of your account you should be fairly safe (unless some other attack altered your login credentials). However, if you can't trust the local PC then you're still subject to the other attacks I mentioned: uncertain security against phishing, redirects, etc., and local malware taking advantage of your authenticated connection while you're logged in.

If the keyfob is required for each transaction, and not just the initial login, then your security is marginally better. In this case malware can't just make up arbitrary transactions and file them in your name. However, this does not completely close the security hole: malware can substitute its own data (destination, amount) in place of yours every time you transfer money, using the code you entered from your keyfob to authenticate the false transaction. This is largely how the malware against e-Gold worked.

Re:Geee! (1)

MikeBabcock (65886) | more than 4 years ago | (#31669542)

The problem is very simple -- browsers come with a list of signing certificates that the browser trusts implicitly. When you visit a website, you're trusting the certificate signing process between any one of those issuers represented in the browser's database and the website you're on. You of course have no way of knowing how those certificates were issued to the domains in question, or if they're reliable or trustworthy.

Importantly, most sites don't use client certificates either, which would help prevent most MitM attacks as well. Equifax is one site I know does offer this as an authentication option for its clients.

Re:Geee! (1)

DragonWriter (970822) | more than 3 years ago | (#31675214)

I'm sorry to say it, but if you want privacy, this is wrong. You can have authentication without encryption (digital signatures) but encryption without authentication = Man in the Middle. PGP and SSH don't get around this in any way, shape, or form--they just seed trust differently, with PGP using the web-of-trust model and SSH a repeatability model. Neither of those work very well for the classic "online banking" use case, however--average users are not going to seed their trust webs, and expect to be able to bank from computers at cafes, work, and friends' houses--none of which would have connected previously, making the SSH model unworkable.

Yeah, but they will have likely dealt with the bank in person first, which makes the "out-of-band exchange" mechanism work, which is much better than using any delegated authentication model (web-of-trust or CA-based).

Re:Geee! (2, Interesting)

QuantumRiff (120817) | more than 4 years ago | (#31662868)

You mean like DNSSEC?

You can ensure that you are really talking to your bank. If they wanted to (and if the browser was okay with it) they could then publish their public key into their signed DNS, and not only would you know they were them, but that their self signed key was okay. Of course, it takes those poor little certificate authorties out of the picture in many cases, which is why they (verisign does both root DNS servers, and certificates) seem to have been so darn slow to implement it. You could literally "walk the tree" from the root DNS zone to your address you are looking at, and make sure they are all valid.

Re:Geee! (1)

swillden (191260) | more than 4 years ago | (#31663382)

things would be much easier for both administrators and security guys (is there a proper name for them?) if the concepts of data encryption on the wire and authentication of the other party were separated both in protocol and implementation

They're not separable. How can you have any assurance that your communications are secret if you don't know who you're talking to?

Authentication can exist just fine without encryption, but if you want privacy you must have both authentication and encryption.

Re:Geee! (1)

tapanitarvainen (1155821) | more than 4 years ago | (#31666172)

Authentication can exist just fine without encryption, but if you want privacy you must have both authentication and encryption.

Encryption without authentication isn't worthless, however: it won't protect you from a targeted attack, but it will help against those throwing their nets far and wide in the hope of seeing something interesting. If all http sessions were encrypted and https differed only by having authentication too, it would make blackhats' lives significantly harder without any obvious downside. In particular it would help also those seriously concerned about privacy by making encrypted communication less conspicuous.

Of course it could cause false sense of security in some - but looking at how the vast majority of people trust even unencrypted communications, indeed many trust http more than https with self-encrypted keys, I can't see how it could get worse. Just show the lock symbol or whatever only with authenticated communications but encrypt everything anyway, and everybody would be better off (except spooks and perhaps certificate sellers).

Re:Geee! (1)

swillden (191260) | more than 4 years ago | (#31666324)

I actually agree with the opportunistic encryption approach. I've posted numerous times on /. about how browsers should silently accept and use self-signed certs, and just not show the lock icon. It's important, though, to understand that opportunistic encryption of that sort is effective only against passive eavesdroppers. Anyone able to mount a MITM attack can defeat it, and the attack doesn't need to be targeted. Indeed attackers with sufficient access and capability can still "throw their nets far and wide".

Still, with the limitations understood, opportunistic encryption is a good thing, and we should be doing it everywhere possible. Perhaps coupling it with key change detection similar to what SSH does could help a bit, too, though it would have to be implemented with a great deal of care to avoid false positives that would reduce its value to nil. Of course, any site that is normally "secure" (meaning it has a real certificate) that presents a self-signed cert should get flagged in a major, scary way.

Re:Geee! (3, Insightful)

pushing-robot (1037830) | more than 4 years ago | (#31662322)

To use the Packet Forensics box, a law enforcement or intelligence agency would have to install it inside an ISP, and persuade one of the Certificate Authorities — using money, blackmail or legal process — to issue a fake certificate for the targeted website. Then they could capture your username and password, and be able to see whatever transactions you make online.

Granted, TFA states that a hacker could potentially circumvent the more difficult parts by using social engineering—registering a certificate that looks like it matches a particular web site and hoping surfers will manually accept it. But that's again a problem with the certificate authority and/or user, not SSL itself.

All the article really boils down to is that SSL is useless if the client and server can't trust the certificate authority. Which should be freaking obvious.

Re:Geee! (1)

hitmark (640295) | more than 4 years ago | (#31667984)

if the time comes that technology works even in the face of human stupidity, humanity have managed to make themselves obsolete.

Re:Geee! (1)

muckracer (1204794) | more than 4 years ago | (#31668106)

> the article really boils down to is that SSL is useless if the client and server
> can't trust the certificate authority. Which should be freaking obvious.

Yet we all do!

Re:Geee! (3, Funny)

Anonymous Coward | more than 4 years ago | (#31662354)

Like OMFG! Mallory you are such a bitch!

- Alice

Re:Geee! (0)

Anonymous Coward | more than 3 years ago | (#31673946)

Like OMFG! Bob you are such a bitch!

- Mallory^H^H^H^H^H^H^H^H Alice

Re:Geee! (2, Interesting)

mandelbr0t (1015855) | more than 4 years ago | (#31662906)

To use the Packet Forensics box, a law enforcement or intelligence agency would have to install it inside an ISP, and persuade one of the Certificate Authorities — using money, blackmail or legal process — to issue a fake certificate for the targeted website. Then they could capture your username and password, and be able to see whatever transactions you make online.

This is kind of an important paragraph too. Sure, it's possible to make an appliance that does that, but it is not as simple as the FBI (or any other three-letter organization) buying the boxes. There's a serious legal/technical issue that needs to be overcome as well. Sure, warrantless wiretapping might make some of this possible, but to legally force a Certificate Authority to issue a fake certificate? No Certificate Authority worth anything would undermine their integrity in this fashion, and any law that would force them to do so in certain circumstances is effectively giving the government the right to commit forgery in the name of justice. Such a law would be the pinnacle of hypocrisy. Don't get me wrong; I don't underestimate the erosion of freedom in the United States, but I'm having a hard time believing that any government would act with such impunity. I was unable to find any example of a law enforcement agency using forged documents to entrap a suspect, probably because such evidence would not hold up in any court that truly represented justice.

Re:Geee! (1)

Gamma747 (1438537) | more than 4 years ago | (#31665626)

No Certificate Authority worth anything would undermine their integrity in this fashion

Thanks to how browsers handle SSL certificates, they don't need to get the signing key from a reputable CA, they just need to get one from any CA approved by your browser.

any law that would force them to do so in certain circumstances is effectively giving the government the right to commit forgery in the name of justice

Thanks to some of the provisions in the USA PATRIOT Act, the FBI can send out a National Security Letter [wikipedia.org] and force a CA to turn over their private key. It's unlikely that the CA would publicly disclose that their key had been compromised, as that would be bad for business.

Re:Geee! (1)

Wingman 5 (551897) | more than 4 years ago | (#31666368)

I agree that this most likely will not happen in the US for the same reasons you stated. However, I do not see this out of the realm of possibility of a more oppressive government like China or N. Korea.

Re:Geee! (1)

Wingman 5 (551897) | more than 4 years ago | (#31666452)

Who here has "CNNIC ROOT" left over from the default install in their windows(or firefox) cert list? I bet they would be more likely to give up a signed CA cert then VeriSign would.

Re:Geee! (1)

PybusJ (30549) | more than 4 years ago | (#31667798)

Mind you the world is larger than the USA, and if you think there are legal impediments to this happening in the US, there are certainly many parts of the world where the local government would not have any problem (moral or legal) in using such technology.

An attacker doesn't need a cert from the most trusted CA, the least trusted in any of dozens of countries round the world who operate CAs will do.

A CA who was caught doing this would probably be removed by all the browsers, but as yet there's no real mechanism for users to notice and make this known.

Re:Geee! (1)

Hurricane78 (562437) | more than 4 years ago | (#31663376)

Bank?? Website??
What is this? The dark ages?

Get yourself some FinTS [wikipedia.org] client! (And a bank that offers it. Every bank that doesn’t, is a fraud anyway.)

Re:Geee! (1)

hitmark (640295) | more than 4 years ago | (#31668008)

do they come as a pocket sized device with a UMTS Radio?

Re:CA do not have strong enough wording in denying (0)

Anonymous Coward | more than 4 years ago | (#31667428)

Lets look at some of the quotes:

"I've read studies and heard speeches in academic circles that theorize that concept, but we never would issue a 'fake' SSL certificate,"

"we have never had a single instance where law enforcement asked us to do something inappropriate."

"Verisign has never issued a fake SSL certificate, and to do so would be against our policies," said vice president Tim Callan.

Lets see they can issue real certificates to the government for any domain that the government wants. They feel that it is appropriate because they are helping the government. The government probably said that they were helping to catch terrorists.

Is it possible to have a double or triple signed certificate so that several CA would have to sign?

Re:Geee! (1)

muckracer (1204794) | more than 4 years ago | (#31668064)

> http://www.wired.com/threatlevel/2010/03/packet-forensics/ [wired.com]

> The basic point is that in the status quo there is no double check and no
> accountability," Schoen said. "So if Certificate Authorities are doing things
> that they shouldn't, no one would know, no one would observe it. We think at
> the very least there needs to be a double check."

And the tragic thing is, we pay A LOT of money for this nonsense. As far as I am concerned, the entire CA industry was from the get-go one of the biggest money-making scams ever. That TLA's etc. could get perfectly acceptable MITM-certificates was always clear because the implemented CA/SSL model purposefully twisted the notion of trust on both human and technological levels into absurdity. Hell, I am waiting for the revelation, that (some of) the CA-mega-cash-cows are actually NSA and/or Mossad and/or [a few more] front-ends and we have paid for the massive build-up and extension of Big Brother under the guise of security and protection, from, well...among other things...Big Brother!

Obligatory meme (2, Funny)

Reality Master 301 (1462839) | more than 4 years ago | (#31661938)

Be sure to encrypt your Ovaltine!

Ovaltine (5, Funny)

MrEricSir (398214) | more than 4 years ago | (#31662096)

Why do they call it Ovaltine? The mug is round. The jar is round. They should call it Roundtine.

Re:Ovaltine (1)

idontgno (624372) | more than 4 years ago | (#31662784)

From da wikipage: [wikipedia.org]

Ovaltine was developed in Berne, Switzerland , where it is known by its original name, Ovomaltine (from ovum, Latin for "egg", and malt, originally its main ingredients)

Yes, I'm sure you were joking. Haha funny, joke go whoosh.

But it's still a good question with, apparently, a sensible but non-obvious answer.

Re:Ovaltine (0)

Anonymous Coward | more than 4 years ago | (#31663436)

Whoooooosh ! [youtube.com]

Re:Ovaltine (1)

93 Escort Wagon (326346) | more than 4 years ago | (#31662986)

Why do they call it Ovaltine? The mug is round. The jar is round. They should call it Roundtine.

You really need a mentor.

Re:Ovaltine (1)

Knara (9377) | more than 4 years ago | (#31663008)

"He's my protégé!"

Re:Ovaltine (3, Funny)

Anonymous Coward | more than 4 years ago | (#31665452)

That's gold, Jerry. GOLD!

OHH MY EYES!! (0)

csueiras (1461139) | more than 4 years ago | (#31661948)

They seriously need to get some better web designers because their site looks like 1990s took a trip to the future and vomited.

Re:OHH MY EYES!! (0)

Anonymous Coward | more than 4 years ago | (#31662774)

personally, I miss the 1990s.. when links to files were not huge masses of redirecting javascript designed to make the visitor jump through hoops to download a simple file. index of / is good enough for me.

Re:OHH MY EYES!! (1)

Tetch (534754) | more than 4 years ago | (#31665496)

> their site looks like 1990s took a trip to the future and vomited

I echo my sibling's comment in that I have no problem at all with the website's style - I'd far rather have a simplistic straightforward HTML-driven site than some stupid Javascript-redirect-driven graphic-design student project. This is really important for security-related software distribution sites where it's necessary to be absolutely sure where your downloads are coming from.

The site does however have some problems with organisation of content - e.g. it'd be nice if they followed some more de-facto site-structure conventions like having a "Downloads" link to a page which provides the source tarballs, and states explicitly that there are no binaries available ... and maybe even provides links to the more common Linux distro repositories where binaries may be found, even places where (gasp) Windows binaries can be found .... like http://www.stunnel.org/download/binaries.html [stunnel.org] (the place I always used to go to get my Windows OpenSSL binaries, but which seems a little unmaintained these days) .... or http://www.slproweb.com/products/Win32OpenSSL.html [slproweb.com] (which is a lot more up to date, and professionally organised).

There is an openssl.org page with info about Win32 binaries :
http://www.openssl.org/related/binaries.html [openssl.org]
(which links to the www.slproweb.com site) but it's not easy to find (IMHO).

And then there's the awful documentation, as many others have mentioned. I'd offer to help out with that if I was half-way crypto-competent enough to do so.

But the site's retro style is fine ... the use of colours is restful on the eyes, and avoids use of the stupid 2-point flyspec fonts so beloved of those whose eyes are much younger than mine and who aren't worrying about damaging them :)

Waaahoo! (4, Funny)

MarkRose (820682) | more than 4 years ago | (#31661952)

Fantastic! It's finally ready for production use! I can't until websites start using openssl! And I'll even be able to use a secure shell! Awesome!!

Re:Waaahoo! (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#31662186)

Are you some kind of retard?

Re:Waaahoo! (1)

Hurricane78 (562437) | more than 4 years ago | (#31663392)

Woops, there is a bug: It accidentially the whole server!

The worst documentation I've ever seen (0, Insightful)

Anonymous Coward | more than 4 years ago | (#31661966)

Version 1.0 and I'm sure the docs are all outdated as they always have been. They really need to get their shit together when it comes to some decent documentation.

And in the better-late-than-never department (5, Funny)

Accidental Angel (2899) | more than 4 years ago | (#31661976)

From the Changelog:

  • BeOS support.

Re:And in the better-late-than-never department (2, Informative)

CharlyFoxtrot (1607527) | more than 4 years ago | (#31663486)

From the Changelog:

  • BeOS support.

Just in time for Haiku [haiku-os.org] . Alternative open source OS's need some love too.

Re:And in the better-late-than-never department (-1, Troll)

arndawg (1468629) | more than 4 years ago | (#31664784)

Fat chicks needs love to, that doesn't mean we should give it to them. But hey. If some drunk openssl developer wants to do it, I'm not here to judge.

1.0 they finally got it right! (3, Interesting)

Tiger4 (840741) | more than 4 years ago | (#31662030)

Now that the first version is finally in relaase, how long before the first set of changes hits? Everybody knows 1.0 of anything is full of bugs.

And on a more serious note, did anyone ever publish a specification of what a 1.0 release should have in it? Or is this somewhere between "declare victory" and "declare exhaustion"?

Re:1.0 they finally got it right! (1)

RayMarron (657336) | more than 4 years ago | (#31662360)

My first thought was that they just ran out of digits in the 0.9 space! :p

(but seriously... great product, I make use of it myself)

Re:1.0 they finally got it right! (1)

c++0xFF (1758032) | more than 4 years ago | (#31662936)

Everybody knows 1.0 of anything is full of bugs.

This is actually changing somewhat, at least when it comes to open source. Go through the repository for any major Linux distro and note how many pre-1.0 packages there are. They may be "pre-release," but that doesn't mean that the quality is terrible.

Remember that an increment in the major version indicates a significant "milestone" of one type or another. Traditionally, the milestone has been the addition of a major set of features. But some open-source packages are using it to mean "release quality." In other words, 1.0 is actually very stable and feature-complete, and that's the milestone that's been achieved to warrant the major-version change.

That's not to say this is universal. A well-known example would be KDE 4.0 (please, let's keep flames, trolls, and holy wars to a minimum), which was a huge leap from the 3.x series. The jump made the major-version change necessary, but everybody admits that it was never ready (nor meant to be ready) for daily use.

In the commercial world, however, releases mark a money-making milestone: the company can now market a large set of new features to sell! "Now with more bugs!" should be on the box. That's why the traditional model of software versions makes you wary of the big 1.0.

micro magnum (0, Troll)

epine (68316) | more than 4 years ago | (#31665156)

In some of these open source projects, version 1.0 is like the first time the odometer in your car rolls over. Or like a couple who finally decide to get married after 15 years of living in sin. I wonder if this big decision involved a trip to Vegas.

Version 1.0 isn't that different from getting marriage. Some enter into it on the basis of hope and enthusiasm with neither experience nor skill, while others circle each other like planets in a decaying orbit.

A long run in the zero point nineties is like the people who are technically married, but have not yet escaped their parents' basements, lacking either the spirit or means of independence.

Then comes the bold and tremulous day when they finally cut the apron strings, while everyone stands around in state of genuine micro-perplexity going "I had no idea".

I read the other day that the dung beetle has been discovered to be one of the world's strongest organisms by body mass. I've never seen a single dung beetle toting a Champagne magnum. It's clear they can't get the cork out. Or maybe no one has figured out how to make the bubbles small enough to fit in the bottle.

Re:1.0 they finally got it right! (0)

GuruBuckaroo (833982) | more than 4 years ago | (#31663160)

I'm waiting until Service Pack 2.

Re:1.0 they finally got it right! (1)

L4t3r4lu5 (1216702) | more than 4 years ago | (#31667596)

It is widely understood that when converting version numbers between closed-source and open-source revision schemes, you should always shift the decimal point one space to the left.

ClosedSource 1.0 = OpenSource 0.1

Documentation (5, Insightful)

Anonymous Coward | more than 4 years ago | (#31662068)

openssl(1): [STILL INCOMPLETE]
ssl(3): [STILL INCOMPLETE]
crypto(3): [STILL INCOMPLETE]
HOWTO: [STILL INCOMPLETE]

I would trade in the last 12 months worth of OpenSSL development for some decent documentation. [STILL INCOMPLETE] is a half truth as well; the complete bits suck in novel ways.

Re:Documentation (2, Interesting)

monoqlith (610041) | more than 4 years ago | (#31663492)

This is precisely why I'm using GnuTLS [gnu.org] for a project I'm working on right now. The documentation is fairly complete, with lots of examples, and (probably) every function described. I'm not totally sure about a comparison between GnuTLS vs. OpenSSL in terms of speed or functionality, but as long as the code works well, good documentation can make the difference between using something and not using something.

Re:Documentation (1)

TheRaven64 (641858) | more than 4 years ago | (#31668084)

I'm sure GnuTLS is fine, in terms of functionality, but since it was developed solely in response to the OpenSSL license (typical GNU project - the existing license isn't GPL-compatible, let's produce a replacement with a less permissive license), it hasn't had anything like the testing or auditing that OpenSSL has received. For security software, this is very important.

Interesting.... (2, Interesting)

Seakip18 (1106315) | more than 4 years ago | (#31662092)

Looking over the changelog, it appears Google sponsored alot of the changes.

Guess they wanted to make sure openSSL is a good bit more secure, being that it's a hot button issue and all.

I have great respect for the OpenSSL project... (0, Offtopic)

Max Romantschuk (132276) | more than 4 years ago | (#31662118)

...but when it comes to version numbers I've grown fond of Ubuntu's approach, with month and year as the version. It makes it very simple to tell if you have a fresh or stale copy of something.

But then again, OpenSSL is a library. Version numbering schemes hardly matter for something like that.

Re:I have great respect for the OpenSSL project... (1)

paskie (539112) | more than 4 years ago | (#31662514)

Actually, if your library version is the same as project release version, the numbering scheme matters very much, since it's well-defined in the UNIX (or at least ELF?) environment - for version a.b, all a.x versions must be ABI forward-compatible: if it runs with 1.0, it must also run with 1.1; if it runs with 1.1, it might not run with 1.0 (usually, a third number is added for non-ABI-changing updates). Traditionally, if you don't want to guarantee ABI compatibility just yet, you use a=0.

You could say the "mistake" OpenSSL might have done is tying its shared library version with the project release version (which is not really neccessary). ...or taking so long to start guaranteeing ABI compatibility, since not having it is a royal PITA.

Re:I have great respect for the OpenSSL project... (1)

Hurricane78 (562437) | more than 4 years ago | (#31663550)

You mean the WINDOWS approach. You know that MS started that “trend”, and that we all hated it, back then?
We still do, for the same reasons.

Also, software doesn’t go stale, so your “argument” is false. If there is nothing to change, because it is fine as it is, and nobody finds bugs despite searching for them, would you stop using a program, just because it’s older??

The reason MS introduced date version numbers, was to HIDE that actually not much changed, and that a update wasn’t worth at all. Because their incomes depended on us buying yet another “new” version.
Now they went back to version numbers.

The really sad thing is, that the open source desktop groups imitate every little completely retarded change from MS (who itself imitate(d|s) Apple, Xerox and others). But cares, to make it that little bit worse and more annoying. KDE is a perfect example. The Kicker menu, the file browser, etc. You could put a Windows skin on it, rename the menu entries, and you would only know the difference to Windows by which one is more annoying. (Dolphin even still imitates things that MS did in Windows 95, like the single-click interface, and that they realized was a horrible idea, a bit later.)
I wish they would grow some balls, stop using the “newbie” excuse, and show that they can lead the way into something better, instead of guaranteeing to never ever surpass MS, by just imitating every crappy thing from them as a self-enforced eternal bridesmate.

Re:I have great respect for the OpenSSL project... (1)

Max Romantschuk (132276) | more than 4 years ago | (#31667296)

You mean the WINDOWS approach. You know that MS started that “trend”, and that we all hated it, back then?
We still do, for the same reasons.

Actually, Adobe did it with Illustrator way back in 88.

Also, software doesn’t go stale, so your “argument” is false. If there is nothing to change, because it is fine as it is, and nobody finds bugs despite searching for them, would you stop using a program, just because it’s older??

Lots of software goes stale. Libraries cease to work with newer file formats and/or protocols. Programs don't understand newer formats or keep supporting features deprecated ages ago.

Granted, some software can stay the same for decades, but there is a lot that does need updating to keep with the times.

I stand by my argument that having a release with a "date stamp" makes it easier to keep track of these things. It's by no means the only approach, but it a perfectly sensible one.

Re:I have great respect for the OpenSSL project... (1)

MikeBabcock (65886) | more than 4 years ago | (#31669644)

There is no mathematical difference between a date stamp and a version stamp if they both increment by arbitrary amounts over releases and programmers can't move backward in time.

I don't understand why anyone would discuss such a difference at all.

See the versioning scheme for TeX [wikipedia.org] for another option.

Re:I have great respect for the OpenSSL project... (1)

Max Romantschuk (132276) | more than 4 years ago | (#31673594)

There is no mathematical difference between a date stamp and a version stamp if they both increment by arbitrary amounts over releases and programmers can't move backward in time.

Good point. :)

I'd heard of the TeX approach before. I like it, but personally I don't have that much fate in the architectural direction most projects to see it as a viable option for universal adoption. ;)

Re:I have great respect for the OpenSSL project... (1)

richlv (778496) | more than 4 years ago | (#31667622)

er, wait. as a kde user, i'm still on kde3, and i could have many complaints about kde4. but...

1. kicker is actually very nice. and i'm saying that as a quite conservative user :)
one *annoying* thing in kde3 version (as per suse) - it opens when mouse is moved in the lower left corner. i hope that thing is at least configurable in kde4, though.

2. single click is actually good... if implemented correctly (which ms never did, which is one of the main reasons it pretty much died off).
and the select/unselect method dolphin provides is extremely cool (even if i use console for my file management needs 95% of the time) - i find myself missing it when using kde3 daily for some photo sorting.
besides, you can set kde to doubleclick - although i don't remember where exactly, i set it to be like that only for the first few months when i switched from windows :) (and that was around kde2/3)

Re:I have great respect for the OpenSSL project... (0)

Anonymous Coward | more than 4 years ago | (#31671314)

...but when it comes to version numbers I've grown fond of Ubuntu's approach, with month and year as the version. It makes it very simple to tell if you have a fresh or stale copy of something.

But ... that's what they did? ... just remove the dot and from 1.0 ... and you get?

Perl dependency (2, Interesting)

0dugo0 (735093) | more than 4 years ago | (#31662120)

Why the flip does it need to depend on perl5? I'll never get ssh running on 386BSD this way.

Re:Perl dependency (2, Funny)

Anonymous Coward | more than 4 years ago | (#31662404)

(sorry, obligatory)

haven't you heard? After looking at thousands of perl scripts, it became clear that it's the best way of making something unreadable, so openssl "encrypts" via making obfuscated perl (redundant, I know - as if there's any other kind!). decrypting just needs a key, a perl interpreter, and blood. Of goats. Lots of them.

-- just another brick in the larry wall

Re:Perl dependency (1)

93 Escort Wagon (326346) | more than 4 years ago | (#31663018)

Why the flip does it need to depend on perl5? I'll never get ssh running on 386BSD this way.

It has a circular dependence with Net::SSLeay

Re:Perl dependency (0)

Anonymous Coward | more than 4 years ago | (#31665374)

Don't you mean "circle jerk dependency of Net::SSLeay"?

Re:Perl dependency (0)

Anonymous Coward | more than 4 years ago | (#31664156)

You can take up issues like this here:
http://www.openssl.org/support/rt.html
Although I must say that I'm sort of disappointed that it doesn't have a real open bug tracker, like most other projects.

Please please keep a stable ABI (1)

amorsen (7485) | more than 4 years ago | (#31662246)

OpenSSL has until now had the least stable ABI of all commonly used Unix libraries. Having to upgrade half the system for a change from 0.98f to 0.98g is rather sad. Especially when bug fixes come with ABI changes.

Re:Please please keep a stable ABI (0)

Anonymous Coward | more than 4 years ago | (#31662340)

Since it states that 'ABI compatilibity drastically reduces performance' I'm not sure 1.0 actually fixes anything. As I understand it, ABI compatibility has been possible in OpenSSL for years, but doing so adds so much overhead as to make it a dog?

But that's just what I read in the help docs on the website, so what do I know.

Re:Please please keep a stable ABI (1)

amorsen (7485) | more than 4 years ago | (#31667184)

All their competitors manage it, and there's no bug reports in the Fedora bugzilla about software getting dog slow after switching to Mozilla's TLS-library.

Re:Please please keep a stable ABI (1)

Karellen (104380) | more than 4 years ago | (#31663686)

Yes, but pre-1.0 versions of, well, pretty much anything, do not have stable A[PB]Is. That's one of the things about being pre-1.0; everything is still subject to change.

Now, all future 1.x(.y) releases should be A[PB]I backwards compatible with 1.0.0. If they're not, yes, that would be bad release management. But until they do that, I don't think it's entirely fair to complain about it.

Re:Please please keep a stable ABI (1)

amorsen (7485) | more than 4 years ago | (#31667168)

Yes, but pre-1.0 versions of, well, pretty much anything, do not have stable A[PB]Is.

This would be a valid response for a project which hasn't been in development for over a decade.

Can't wait for the IPad App! (0, Offtopic)

goffster (1104287) | more than 4 years ago | (#31662318)

Iphone OS 45.6 ?

ubuntu is coming.. (0)

Anonymous Coward | more than 4 years ago | (#31662440)

and so do many other stuff, just getting ready to be included in the next LTS version, which should be installed in a number of computers that just a few years ago no one could have even imagined.

So.. just coincidence? should we really thank canonical for this version-number pushing effort? It looks this way.

Regards

Re:ubuntu is coming.. (1)

mirix (1649853) | more than 4 years ago | (#31663098)

Not bloody likely. OpenSSL and OpenSSH are a wee bit bigger than ubuntu, imo.

1.0, eh? (0)

Anonymous Coward | more than 4 years ago | (#31663196)

So surely that means it's gotten rid of all that certificate nonsense, right?

11 Years for version 1.0? (0, Flamebait)

Schraegstrichpunkt (931443) | more than 4 years ago | (#31664518)

Eleven years for version 1.0? This just goes to show that SSL is way too complicated.

Go read Peter Gutmann's X.509 Style Guide if you want to cry. If that doesn't work, try implementing an ASN.1 library from scratch.

I'll take SSH and SPKI any day over the X.509/TLS mess.

Next you're telling me... (2, Funny)

unwesen (241906) | more than 4 years ago | (#31668004)

... Duke Nukem Forever has ALSO been released.

Re:Next you're telling me... (2, Funny)

muckracer (1204794) | more than 4 years ago | (#31668148)

> ... Duke Nukem Forever has ALSO been released.

It has. But only for HURD right now....

Re:Next you're telling me... (1)

unwesen (241906) | more than 4 years ago | (#31668302)

Damn! I'm running Plan9 here!

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...