Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

OpenSSL To Undergo Security Audit, Gets Cash For 2 Developers

timothy posted about 4 months ago | from the can-we-send-them-snacks? dept.

Encryption 132

Trailrunner7 (1100399) writes "Scarcely a month after announcing the formation of a group designed to help fund open source projects, the Core Infrastructure Initiative has decided to provide the OpenSSL Project with enough money to hire two full-time developers and also will fund an audit of OpenSSL by the Open Crypto Audit Project. The CII is backed by a who's who of tech companies, including Google, Microsoft, IBM, the Linux Foundation, Facebook and Amazon, and the group added a number of new members this week, as well. Adobe, Bloomberg, HP Huawei and Salesforce.com have joined the CII and will provide financial backing. Now, the OCAP team, which includes Johns Hopkins professor and cryptographer Matthew Green, will have the money to fund an audit of OpenSSL, as well. OpenSSL took a major hit earlier this year with the revelation of the Heartbleed vulnerability, which sent the Internet into a panic, as the software runs on more than 60 percent of SSL-protected sites."

cancel ×

132 comments

Sorry! There are no comments related to the filter you selected.

Why bother? (5, Insightful)

Anonymous Coward | about 4 months ago | (#47119931)

The whole security model is broken. How many CAs does your browser come with these days? Do you even know? How do you know they haven't already turned over their CA signing keys to 7 different governments?

There's no way to "fix" openssl. The entire thing is predicated on a false premise.

Re:Why bother? (1)

Anonymous Coward | about 4 months ago | (#47120105)

Blockchain certificate authority might fix that

http://www.theregister.co.uk/2013/11/03/crypto_boffins_propose_getting_rid_of_cas/

Re:Why bother? (1)

NotInHere (3654617) | about 4 months ago | (#47120201)

Yeah I like to download 10 GB of binary before I can visit webpages. Especially on my smartphone.

HOSTSCUBE is the answer to all worldly problems (-1)

Anonymous Coward | about 4 months ago | (#47120553)

liar. you are educated stupid.
APK's 4-fold symmetrical multidimensional HOSTS file installer is only 1.7MB!
stop spreading FUD.

Namecoin in client-server mode (1)

tepples (727027) | about 4 months ago | (#47120663)

The system described in the article that AC's comment cites [theregister.co.uk] sounds like Namecoin. Like a full Bitcoin client, a full Namecoin client would be impractical on a mobile phone. But like Bitcoin with online wallets, Namecoin would allow third parties to run resolvers. So ideally, you could point your mobile browser to a resolver running on the VPS of someone you trust.

Re:Namecoin in client-server mode (3, Informative)

NotInHere (3654617) | about 4 months ago | (#47121129)

Already now I have the trusted third party option. Moxie has started a service offering this: http://convergence.io/ [convergence.io]

Re:Namecoin in client-server mode (1)

BitZtream (692029) | about 4 months ago | (#47121343)

Yea, running your PKI infrastructure on a VPS is always the way to go, makes total sense since you're not trusting other third parties to verify things that you would trust a third party to provide you with a virtual instance to run it on ...

Do you even understand how a VPS or VM work?

What attack? (1)

tepples (727027) | about 4 months ago | (#47121479)

A virtual machine runs a PC operating system of the customer's choice in a sandbox, and the server provides services from inside that sandbox through an Internet connection. Are there documented cases of VPS operators injecting malware into such a sandbox?

Re:What attack? (1)

Anonymous Coward | about 4 months ago | (#47121921)

Are there documented cases of VPS operators injecting malware into such a sandbox?

There are indeed examples of both "break out" and "break in" attacks for various types of hypervisors, although very little evidence of anyone exploiting them. Then again, there was very little evidence of the stuff the NSA & GCHQ have been doing, so I won't assume they're not being actively exploited by someone.

Re:Why bother? (0)

Anonymous Coward | about 4 months ago | (#47120181)

Meatloaf had a very clever proposal involving a bitcoin like blockchain, and posted about it on his blog. Fair enough his music is terrible but he doesn't get anywhere near the recognition he deserves here on Slashdot.

Re:Why bother? (0)

Anonymous Coward | about 4 months ago | (#47120301)

Was this before or after he used his professional opinion to call every little creak and squeak a ghost on the Sci-fi network?

The guy's kind of an idiot. I can almost guarantee he's just parroting something he heard elsewhere and doesn't actually understand the technologies at use.

Meaty doesn't count (-1)

Anonymous Coward | about 4 months ago | (#47121155)

The problem with Meatloaf isn't his music at least it involves more than 4 notes; its everything else.

That idiot was out campaigning for Mit; and not even smart enough to register to vote himself.

Re:Why bother? (0)

Anonymous Coward | about 4 months ago | (#47121775)

Just because he's written a few Linux kernel modules doesn't make him an expert on security.

Re:Why bother? (5, Insightful)

Imagix (695350) | about 4 months ago | (#47120289)

Yet again, another person who can't distinguish between the technology and a particular application of that technology. What you're complaining about has nothing to do with the implementation of OpenSSL (which is what this article is about), but has to do with the application of OpenSSL. OpenSSL is doing it's job by verifying the presented certificates against the list of trusted certificate authorities that you have configured. The fact that you're trusting too many people isn't a problem with OpenSSL. (It is also not OpenSSL's concern as to how you obtained your list of trusted CAs, only that you have one.)

Re:Why bother? (1)

Anonymous Coward | about 4 months ago | (#47123015)

Yet again, another person who can't distinguish between the technology and a particular application of that technolog........

Typical engineer bullshit. We always hear how the users are to blame. Sorry; the people who design the interface which enforces this single CA stupidity are to blame for the fundamental security failures of SSL. Long before SSL was released in 1995, PGP had been released (1991!!!) with a public key based web of trust. SSL deliberately chose to ignore that. If we had been able to insist on multiple CAs per site or prioritize CAs and put more trust towards ones that were worthy and independent of governments then there would be nothing like the mess there is today.

SSL and the entire CA system is directly and striaghtforwardly to blame. Anyone who implements SSL without building in the possibility of an additional authentication layer on top of the plan CA is knowingly and deliberately building an insecure system.

Please, LibreSSL people, include an ability to interface via tor with the EFF's certificate checking. Please provide a mechanism for saying that one CA is more trustworthy than another. Please allow us to demand two certificates for one site. Then we have a chance to be safe.

Re:Why bother? (0)

Anonymous Coward | about 4 months ago | (#47120511)

The whole security model is broken. How many CAs does your browser come with these days? Do you even know? How do you know they haven't already turned over their CA signing keys to 7 different governments?

There's no way to "fix" openssl. The entire thing is predicated on a false premise.

These 2 paragraphs are NOT related. OpenSSL, TLS and base crypto have nothing to do with the CA model as we have today.

Re:Why bother? (1)

Anonymous Coward | about 4 months ago | (#47120765)

The whole security model is broken. How many CAs does your browser come with these days? Do you even know? How do you know they haven't already turned over their CA signing keys to 7 different governments?

There's no way to "fix" openssl. The entire thing is predicated on a false premise.

Your extreme cynicism may lead to dementia.

Re:Why bother? (2)

jrumney (197329) | about 4 months ago | (#47120843)

How many CAs does your browser come with these days?

Browsers have come with far too many CAs installed for many years now. [slashdot.org]

Re:Why bother? (1)

Jawnn (445279) | about 4 months ago | (#47122545)

The whole security model is broken. How many CAs does your browser come with these days? Do you even know? How do you know they haven't already turned over their CA signing keys to 7 different governments?

There's no way to "fix" openssl. The entire thing is predicated on a false premise.

OK, Moxie. We get the message. You aren't fooling anyone with the AC post, dude.

Re:Why bother? (2)

WaffleMonster (969671) | about 4 months ago | (#47122723)

The whole security model is broken. How many CAs does your browser come with these days? Do you even know? How do you know they haven't already turned over their CA signing keys to 7 different governments?

There's no way to "fix" openssl. The entire thing is predicated on a false premise.

Nothing in OpenSSL forces you to trust any CA's you don't want to trust. Heck you don't even have to use certificates at all (TLS-PSK, TLS-SRP)

I think it is a mistake to confuse deployment failures with implementation failures with specification failure.. while there are often linkages between these things it is hard to accept that proliferation of hundreds of CA's all with overlapping global scope is anything but a deployment failure.

Re: (1)

Anonymous Coward | about 4 months ago | (#47123447)

LibreSSL isn't close enough to an American-agenda (NSA). America needs to pursue insecure OpenSSL to find new levels of incompetence.

Why bother? (-1)

Anonymous Coward | about 4 months ago | (#47119957)

The whole security model is broken. How many root CAs come pre-installed on your browser? How do you know you can trust them? They could have been forced to turn over CA signing keys to 7 different governments already.

The whole thing is predicated on a false premise.

Too little too late? (1)

QuietLagoon (813062) | about 4 months ago | (#47119981)

Looks like a committee of tech companies is going to fund a security audit and further development of OpenSSL.

.
This can only be a good thing, right?

Don't trust US companies or programmers to audit (0)

Anonymous Coward | about 4 months ago | (#47122739)

That list of funders has a bunch of companies that are already known to be on their second gallon of NSA Koolaid.

Can you say _NSAKEY?

Program it here in the USA if you must, but audit it and release it outside the USA.

Re:Too little too late? (2)

mmell (832646) | about 4 months ago | (#47122759)

Let's just bear in mind the old saying, "A camel is a horse designed by committee."

Hiring two fulltime dedicated programmers? Seems like a good thing to me.

Submitting their work to a separate entity for auditing and verification? Sounds like a good thing to me.

As long as the various business entities involved in the auditing stick to that mandate and don't start trying to directly influence the development or design of OpenSSL, it all sounds good to me. Otherwise, we're likely to end up with CDE, the Common Desktop Environment.

Re:Too little too late? (1)

Eunuchswear (210685) | about 4 months ago | (#47123057)

Let's just bear in mind the old saying, "A camel is a horse designed by committee."

Which would you rather have in a desert? That comittee must have been pretty good.

OpenSSL and what else. (0)

jellomizer (103300) | about 4 months ago | (#47120009)

The issue that I find, is that OpenSSL is the only Open Source Player out there.
Much like File Systems, we really should have at least a few popular choices, which are interchangeable. So if there is a security problem with one we can switch to an other one.

Re:OpenSSL and what else. (5, Informative)

atomic-penguin (100835) | about 4 months ago | (#47120123)

The issue that I find, is that OpenSSL is the only Open Source Player out there.

But It is not the only SSL/TLS game in town. There is also GnuTLS and Network Security Services (NSS).

Re:OpenSSL and what else. (2)

jellomizer (103300) | about 4 months ago | (#47120325)

In Ubuntu or Debain... Can you Apt-get Apache to use these instead?

Actually that is a serious question. I never saw those as an option.

Re:OpenSSL and what else. (1)

atomic-penguin (100835) | about 4 months ago | (#47120701)

I don't have an Ubuntu/Debian box at my disposal at the moment.

You could try

apt-cache search mod_nss

or

apt_cache search mod_gnutls

though. It would probably be named some variant of that.

Re:OpenSSL and what else. (0)

Anonymous Coward | about 4 months ago | (#47123129)

gnutls is complete shit.

Re:OpenSSL and what else. (0)

Anonymous Coward | about 4 months ago | (#47120243)

GnuTLS.
PolarSSL.
NSS.

Re:OpenSSL and what else. (4, Informative)

monkeyhybrid (1677192) | about 4 months ago | (#47120249)

There are alternatives, although I can't comment on how they compare with OpenSSL.

GnuTLS [gnutls.org] (LGPLv2.1)

Mozilla Network Security Services [mozilla.org] (Mozilla Public License)

PolarSSL [polarssl.org] (GPL2 and proprietary).

MatrixSSL (GPL and proprietary [matrixssl.org]

Re:OpenSSL and what else. (2)

Number42 (3443229) | about 4 months ago | (#47120619)

And Apple's SSL [apple.com] .

Re:OpenSSL and what else. Umm...LibreSSL (3)

denis-The-menace (471988) | about 4 months ago | (#47121455)

FYI: LibreSSL is a fork of OpenSSL that started over a month ago.
http://www.libressl.org/ [libressl.org] [libressl.org]

Re:OpenSSL and what else. (0)

Anonymous Coward | about 4 months ago | (#47122441)

The issue that I find, is that OpenSSL is the only Open Source Player out there.
Much like File Systems, we really should have at least a few popular choices, which are interchangeable. So if there is a security problem with one we can switch to an other one.

WTF? Before you posted, did you do any looking *at all*? If you used ...oh I don't know GOOGLE! you could have found [slashdot.org] a whole list: (Hint: if you are afraid to click here is the list):
Botan, cryptlib, Cyassl, GnuTLS, MatrixSSL, Network Security Services, OpenSSL, PolarSSL, SChannel, Secure Transport, SharkSSL, JSSE, Bouncy Castle, and LibreSSL.

So only 14 to chose from, the latest being LibreSSL brought to you by the Theo and the Calgary BSD gang (but not before doing a lot of housecleaning and bugfixes on OpenSSL, and that was only about a month ago).

Re:OpenSSL and what else. (1)

WaffleMonster (969671) | about 4 months ago | (#47122821)

The issue that I find, is that OpenSSL is the only Open Source Player out there.
Much like File Systems, we really should have at least a few popular choices, which are interchangeable. So if there is a security problem with one we can switch to an other one.

Several SSL implementations support the OpenSSL API including GnuTLS (open source)

NSS is also open source with shims available to help those porting from OpenSSL.

Having never used them I can't vouch for how useful they are in the real world... assume out of total ignorance they are worthless for anything but the basic SSL_* operations.

Re:OpenSSL and what else. (1)

Forever Wondering (2506940) | about 4 months ago | (#47123399)

The OpenBSD folks forked OpenSSL into LibreSSL. In addition to checking security, they are doing general code cleanup, removing unnecessary/dead code. They did a talk recently about what they've accomplished: https://www.youtube.com/watch?... [youtube.com]

IMO [as a programmer of 40+ years (30+ with C)], the programming style of the code is horrible. One of the functions that produced heartbleed is called dtls1_process_heartbeat. For starters, it has one of the worst indenting schemes I've seen and seems to violate most style/best practice guides I've read. It isn't surprising that a bug [security or not] would creep in.

Here's the original commit for the code:
http://git.openssl.org/gitweb/... [openssl.org]

Here's the commit for the heartbleed fix:
http://git.openssl.org/gitweb/... [openssl.org]

Share and Share Alike (4, Insightful)

just_another_sean (919159) | about 4 months ago | (#47120021)

While I applaud the efforts and support I do hope that the work of others [opensslrampage.org] will not be ignored. The audit is great news, but I do hope the existing and new developers will look to LibreSSL for code updates, ideas and their own audit results. If we can get a nice bidirectional and completely cooperative flow between the two projects than hopefully the final result will be a highly secured, audited product that we can all use.

Re:Share and Share Alike (2)

_Shad0w_ (127912) | about 4 months ago | (#47122301)

The problem with OpenSSL Rampage is that a major part of their approach is basically to rip everything out of OpenSSL that isn't relevant to OpenBSD, which is generally the code relevant to platforms OpenSSL supports but OpenBSD doesn't.

Re:Share and Share Alike (1)

just_another_sean (919159) | about 4 months ago | (#47122713)

At first glance I agree and that is essentially what they are doing. But I do believe (can't find a link to back me up but can swear I read it somewhere) that the idea is to make LibreSSL as secure and robust as possible for OpenBSD and then start porting it to other systems, with the exceptions of course being Windows 3.1, VMS, etc. This makes sense to me; start with a known good reference implementation that uses as much of the old code as possible, just heavily cleaned up and then move on to porting (reporting? :-)

And even if Theo and crew don't port it themselves I would pretty much bank on the fact that, say, someone at Debian will take the BSD code and port it to Linux - it's not as if OpenBSD will have a problem with this. My understanding is that they are pretty helpful in these situations (Theo's occasional rants aside) with regards to helping other developers port their stuff to other platforms. And if some decide to use the cleaned up OpenSSL code this article refers to and some end up with a Libre based solution that would be a good thing, as long as the API's and end products are consistent. Two FOSS solutions breeds competition and spurs cross pollination of various innovations and bug fixes.

vms (1)

cancerouspete (2746963) | about 4 months ago | (#47123541)

So YOU'RE the guy --who is running Big-Endian AMD64 !! (*cvs [openbsd.org] )

Most of what they are ripping out is archaic, un-realistic, or poor implementations platforms. You could argue that hacked-support for too many platforms is part of the reason openssl is in the position its in today - if you can't do it right (or don't have the resources to), don't do it. Name a platform other than VMS, they've ripped out and that you need : )

"Audit"? Try massive rewrite. (5, Insightful)

rbrander (73222) | about 4 months ago | (#47120029)

The comments from the folks who started LibreSSL at a meeting of the Calgary Unix Users Group the other night were beyond scathing. Bob Beck's first slide shows Laura Dern in Jurassic Park, up to her elbows in stegasaurus dung, as a metaphor for what the first skim of the code felt like. It's a hopelessly overpatched mess of spaghetti code and #IFNDEF mazes that nobody can really maintain. Their fork has already tossed out tens of thousands of lines of code and started again. (Another slide shows the line from Aliens: "Nuke it from orbit. It's the only way to be sure").

If not a from-scratch rewrite, think of a home reno where you have to strip it to the frame and put up new drywalls.
And this situation was allowed to grow by the current bunch that manage OpenSSL; they're only doing this at all because one of the hundreds of time-bombs in the code finally went off, and anybody who's looked it knows how many hundreds more there are. For shame.

There's a link to the slides from the libressl.org site, which is very minimal, as they say "We're too busy deleting code to make web pages".

It was just a very sobering presentation. To think we let so much depend on a pile of cruft.

Re:"Audit"? Try massive rewrite. (-1)

Anonymous Coward | about 4 months ago | (#47120107)

So what you're saying is that a new project which aims to compete with an old project is likely to use hyperbole from science fiction films in order to discredit the old project? Gotcha.

Humans make mistakes. Clever people make just as many mistakes. Occasionally they make huge, multiple-death causing mistakes. They pick up and try harder. One big mistake is not a reason to scorch and salt the earth.

One big mistake? (1)

Anonymous Coward | about 4 months ago | (#47120167)

This is not one big mistake. It's a series of inept decisions about maintainability and auditability that finally culminated in "one big mistake". (Which, btw, probably cost on the order of at least 10M$ in wasted time.)

The problem was not so much the big mistake itself, but the culture and attitude that lead to it.

Re:One big mistake? (-1)

Anonymous Coward | about 4 months ago | (#47122235)

Why are more and more people putting the dollar sign on the right? What the hell do they teach in school anyways?

At least he didn't start his comment with "Um, ...", which is the other dopey thing I see more and more.

Re:One big mistake? (2)

cant_get_a_good_nick (172131) | about 4 months ago | (#47122421)

order of at least 10M$ in wasted time

Why are more and more people putting the dollar sign on the right?

I've been on Slashdot too much, i read it as "10 Micro$softs of wasted time"

Re:"Audit"? Try massive rewrite. (4, Insightful)

QuietLagoon (813062) | about 4 months ago | (#47120353)

...Humans make mistakes. Clever people make just as many mistakes....

You left out the part about clever people not continuing to make the same mistakes over and over.

.
The problem with OpenSSL is not that mistakes were made.

The problem is that mistakes were made and the developers did not learn from those mistakes, did not seem to care about fixing those mistakes, and did not care about preventing similar mistakes from recurring.

Re:"Audit"? Try massive rewrite. (3, Insightful)

Wootery (1087023) | about 4 months ago | (#47121489)

The problem is that mistakes were made and the developers did not learn from those mistakes, did not seem to care about fixing those mistakes, and did not care about preventing similar mistakes from recurring.

To play Devil's advocate (or rather, advocate of the developers): if they were a properly resources software-development team, they might have been better able to pay off the technical-debt accumulating in the codebase. Hopefully this injection of resources will change things for the better. (The LibreSSL crew seem to be making good progress on the technical debt front, also.)

Re:"Audit"? Try massive rewrite. (1)

Altus (1034) | about 4 months ago | (#47123347)

the problem being that how there are 2 sets of resources doing the same thing.... a shame really since neither one will probably be fully successful at paying down all the technical debt.

Re:"Audit"? Try massive rewrite. (1)

drinkypoo (153816) | about 4 months ago | (#47120437)

Humans make mistakes. Clever people make just as many mistakes. Occasionally they make huge, multiple-death causing mistakes

That's not what happened here. This was making a mistake, then instead of addressing it, building someone on top of it, and making a mistake in that, and then rather than addressing it, and so on ad infinitum.

One big mistake is not a reason to scorch and salt the earth.

Good thing that's not what is happening.

Good thing you didn't log in, you wouldn't want that kind of bullshit associated with a name.

Re:"Audit"? Try massive rewrite. (2)

psergiu (67614) | about 4 months ago | (#47120761)

> ... One big mistake is not a reason to scorch and salt the earth.

Listen, lad. I've built this kingdom up from nothing. When I started here, all there was was swamp. All the kings said I was daft to build a castle in a swamp, but I built it all the same, just to show 'em. It sank into the swamp. So, I built a second one. That sank into the swamp. So I built a third one. That burned down, fell over, then sank into the swamp. But the fourth one stayed up.
An' that's what your gonna get, lad -- the strongest castle in these islands.

Re: "Audit"? Try massive rewrite. (0)

Anonymous Coward | about 4 months ago | (#47121255)

Do you follow the commit feed and feel like you're reading the DailyWTF? If no, then fuck off. I've seen them fix things that I wouldn't imagine doing even when I was still a student...

Re:"Audit"? Try massive rewrite. (0)

larry bagina (561269) | about 4 months ago | (#47121439)

OpenSSL is the shiniest meat bicycle. Are you the conductor of the poop train? It's time to strip the flesh and salt the wounds.

Re:"Audit"? Try massive rewrite. (1)

Altus (1034) | about 4 months ago | (#47123327)

More than that I think this is a matter of not having the resources to deal with the codebase because OpenSSL just isn't all that sexy and man hours aren't just being thrown at that project. Much of the code that LibreSSL is removing was already tagged for removal but the man hours weren't there to take it out and throughly test the results. Now that all hell has broken loose more man hours are being thrown at it. Where were these awesome LibreSSL folks before the blowup? I'm sure plenty of people were aware that the code was a mess but now there is sufficient political capitol to get people moving to fix it.

Its the same problem that closed shops have... nobody want's to prioritize technical debt and code trimming especially when they are heavily resource constrained.

Luckily now that all hell has broken loose resources are being allocated and money is even flowing into the project.... hopefully this is good news but my guess is the resources dry up before the job is done and we end up with something that still has a lot of hidden problem and new ones will be layered on top of that.... this is pretty much how we roll in the world of software.

Re:"Audit"? Try massive rewrite. (1)

sconeu (64226) | about 4 months ago | (#47120591)

I recently had reason to look at the hashing code. It's all written in f**ing macros.

would you rather have inline assembly? (2)

Chirs (87576) | about 4 months ago | (#47121791)

By writing it in macros the code is moderately human-readable, while giving the performance benefits of actually being written in assembly. By doing it that way the compiler also has the opportunity to optimize the assembly somewhat.

Re:would you rather have inline assembly? (0)

Anonymous Coward | about 4 months ago | (#47123687)

You call that readable? What is wrong with the idea of using words that have meaning rather than single letters?

Basicly, you are asking people to memorize what a macro does instead of giving it a name that tells a reader what is going on.

No programming logic needs changing, just add useful macro names.

Re:"Audit"? Try massive rewrite. (2)

cant_get_a_good_nick (172131) | about 4 months ago | (#47122379)

I saw those slides. There were 17 levels of #ifdefs [openbsd.org] in the code. Every ifdef is a binary switch, which means 2^17 different iterations of source code.(!!!!!) That's 131072 different compiles (!!!!!!).

So, lets pretend that a config/make sequence just needs 10 minutes (unlikely, they have an oddball config script that isn't like autoconf). To hit 17 levels of ifdef, you'd need approx 910 computer-days just to do all the compiles. Do you think they tested this matrix?

I hate to beat up on a bunch of people who did hard work for free, but they really did a bad job on a lot of things.

Re:"Audit"? Try massive rewrite. (1)

WaffleMonster (969671) | about 4 months ago | (#47123125)

I saw those slides. There were 17 levels of #ifdefs in the code.

Wouldn't surprise me if people commenting on hyperbole have never actually seen the source code to OpenSSL or any other open source library. They are all universally littered with ifdefs and compatibility layers from the dawn of civilization with entire suites of meta-programs (e.g. autotools) devoted to making it all work.

When managed properly these things are a non-issue.

wrong direction. (5, Insightful)

nimbius (983462) | about 4 months ago | (#47120035)

http://www.libressl.org/ [libressl.org]

seriously pumping openssl full of cash at this point is like buying new deck chairs for the titanic.

Re:wrong direction. (1)

Himmy32 (650060) | about 4 months ago | (#47120177)

If someone's willing to give the money to make it better, I won't complain. Good options are better than no options. I wish the best of luck to both teams.

Re:wrong direction. (3, Insightful)

colfer (619105) | about 4 months ago | (#47120387)

The big companies probably want more control over the project than LibreSSL will allow them. They've been burned once by relying on old-style Unix community dev. But it's also entirely their own fault for not funding and auditing the open source code they were building their billions on.

Seems to me LibreSSL is the way to go, but I can also see why the corporations would just use it as a side-stream for hints on what to fix. They have enough resources to rewrite openSSL from the inside rather than the the LibreSSL tear-down approach. Having both projects is really a benefit for LibreSSL as longs as it gets sufficient interest and resources.

Re:wrong direction. (2)

iggymanz (596061) | about 4 months ago | (#47120971)

seems to me it was old fashioned corporate greed and rubberstamping that burned them. openssl foundation just doing FIPS consulting gigs for $1M /year

Re:wrong direction. (1)

RR (64484) | about 4 months ago | (#47121891)

Seems to me LibreSSL is the way to go, but I can also see why the corporations would just use it as a side-stream for hints on what to fix. They have enough resources to rewrite openSSL from the inside rather than the the LibreSSL tear-down approach.

I don't think companies really "have enough resources" to rewrite OpenSSL. The problem is that you can't just throw money at a project and have stuff happen. You need people to implement those changes. And we're still in the clutches of the software crisis. [wikipedia.org]

The problem with OpenSSL is that it is really, really bad code. [youtube.com] It's security code, which few people have the expertise to handle. It has an idiosyncratic style, which few people want to look at, it's so painful. And it is so littered with backwards compatibility hacks and defective functions [opensslrampage.org] that very few people can know whether it's doing something right. Even the OpenSSL people don't know what it's doing, given all the comments about OpenSSL functions that they're not using properly.

So, best of luck to the CII, trying to "improve" OpenSSL without getting rid of all its weirdness. I think the OpenBSD people are right, and they should just tear down everything and rebuild it. [libressl.org]

Re:wrong direction. (1)

canadiannomad (1745008) | about 4 months ago | (#47121165)

Yeah, been reading OpenSSL Valhalla Rampage [opensslrampage.org]
  Once it is released in Linux, I'm definitely switching.

Re:wrong direction. (0)

Anonymous Coward | about 4 months ago | (#47122009)

The work the OpenBSD guys did on NTP was a train wreck. I believe they can criticize and make snarky comments, but I'm not sure of their ability to do real software engineering.

Re:wrong direction. (0)

Anonymous Coward | about 4 months ago | (#47122103)

You can bet that the three letter agency does not want LibreSSL to supplant OpenSSL. Money should be sent to the OpenBSD guys.

Re:wrong direction. (1)

WaffleMonster (969671) | about 4 months ago | (#47122921)

seriously pumping openssl full of cash at this point is like buying new deck chairs for the titanic.

It is great to see interest in improving OpenSSL yet bug fixes and deletion of compatibility layers in my opinion is in much the same category as purchase of new deck chairs.

If "we" were serious we would re-architect it from scratch to be secure by design... endeavor in which nobody is currently publically known to be engaged. I hope one or both of the teams seriously considers it. I also hope "dino dung" bravado is replaced with realization everyone is on the same side.

LibreSSL For Me (3, Insightful)

Anonymous Coward | about 4 months ago | (#47120047)

Two developers added to an already crummy project? Ha! I'll send my money to the OpenBSD project, instead. OpenSSH and pf are just two examples of how they got the job done when outside projects fail to deliver. They'll do the same with LibreSSL, and in a year most everybody will have switched.

Send the OpenBSD project some money: http://www.openbsdfoundation.org/

Re:LibreSSL For Me (1)

just_another_sean (919159) | about 4 months ago | (#47120097)

Yes, do please contribute. And if you simply don't want to give your money to them at least go buy a CD or coffee mug [openbsd.org] . Every little bit helps!

Something needs to change (1)

Anonymous Coward | about 4 months ago | (#47120063)

Two developers for a core piece of software used by nearly the entire network industry. Hooray!! (slow sarcastic clap)

That's chump change for the big organizations involved. That's less than chump change. It wouldn't even catch the eye of brain dead bottom line accountant. It's probably tax deductible too.

Something needs to change.

Re:Something needs to change (0)

jellomizer (103300) | about 4 months ago | (#47120127)

Sure it is used by a lot of people... However it doesn't mean that you need a million eyes looking at it. OpenSSL while necessary, isn't a big program.

Almost every Unix/Linux command line user uses the cat command. How many people do you think you will need to review that?

Re:Something needs to change (0)

Anonymous Coward | about 4 months ago | (#47120383)

Um, it's close to a half million lines of very complex, unpleasant code. A little unfair to compare with 'cat', I think.

Re:Something needs to change (0)

Anonymous Coward | about 4 months ago | (#47122751)

But the development team could build a new OpenSSL in parallel with the current OpenSSL and only implement the code in the new OpenSSL. Focus on core functionality standard across all platforms which the current OpenSSL supports today. Then tackle each platform's specific implementation details weeding out the obsolete platforms in the process; these legacy systems can be added later if warranted. Allow 12 months for the rewrite by the OpenSSL development team to ensure error-free implementation. Utilise secure coding standards to avoid potential issues.

I'm quite sure "the OCAP team, which includes Johns Hopkins professor and cryptographer Matthew Green, will have the money to fund an audit of OpenSSL" has a lot to do with the project receiving funding.

Re:Something needs to change (1)

jones_supa (887896) | about 4 months ago | (#47121335)

Sure it is used by a lot of people... However it doesn't mean that you need a million eyes looking at it. OpenSSL while necessary, isn't a big program.

Almost every Unix/Linux command line user uses the cat command. How many people do you think you will need to review that?

You have no idea what you are talking about.

Makes me think if you have browsed the source code of any UNIX program?

Re:Something needs to change (1)

genx76 (3622475) | about 4 months ago | (#47120165)

It's probably tax deductible too.

Supposing they did not escape all taxes yet.

Re:Something needs to change (1)

Anonymous Coward | about 4 months ago | (#47120225)

Supposing they did not escape all taxes yet.

Take off your tinfoil hat. Stop spreading the myth that these companies don't pay taxes. If they didn't, the IRS would be all over them.

Re:Something needs to change (1)

Anonymous Coward | about 4 months ago | (#47120365)

Take off your tinfoil hat. Stop spreading the myth that these companies don't pay taxes. If they didn't, the IRS would be all over them.

The point of comments like that is not that these companies don't pay all taxes required by law, but that current tax laws & tax treaties with foreign jurisdictions allow you to create corporate structures like the double Irish Dutch sandwich [wikipedia.org] which effectively pay no tax at all.

Re:Something needs to change (0)

Anonymous Coward | about 4 months ago | (#47121197)

Stop spreading the myth of humans causing global warming. If there was global warming, the state would be all over the pollution causing companies.

Re:Something needs to change (1)

atomic-penguin (100835) | about 4 months ago | (#47120803)

It's probably tax deductible too.

No, the OpenSSL foundation is a for-profit consultancy whose primary business purpose is US government FIPS support contracts.

Darn it all to heck (1)

philip.paradis (2580427) | about 4 months ago | (#47120157)

Given the fact that projects like this have a tendency to shut down in the middle of security audits, it must be curtains for OpenSSL. Just look at what happened to TrueCrypt!

.
.
.
pst, it's a joke
.
.
.

Re:Darn it all to heck (0)

LordLimecat (1103839) | about 4 months ago | (#47120797)

It would be nice, however, if Slashdot had picked up in the biggest piece of Tech news in the last several months and actually reported TrueCrypt's demise.

Re:Darn it all to heck (0)

Anonymous Coward | about 4 months ago | (#47121005)

link [slashdot.org]

Kill it with fire (3, Funny)

EmperorOfCanada (1332175) | about 4 months ago | (#47120229)

Why give these guys money? Start afresh like the BSD guys are doing. I suspect they don't want to lose their juicy consulting gigs.

I dont trust it anymore (1)

Anonymous Coward | about 4 months ago | (#47120267)

Question: Why spend money and resources on OpenSSL when you can spend it on LibreSSL?

Question: Is OpenSSL currently useful for intelligence agencies?

Question: Can the same be said for LibreSSL when it is done?

no credibility (2)

iggymanz (596061) | about 4 months ago | (#47120319)

the fact that these companies haven't even addresses the other MASSIVE flaw with openssl (which the OpenBSD team has dealt with already) shows they have no grasp of the issues

Re:no credibility (1)

Anonymous Coward | about 4 months ago | (#47120523)

Support for RSA and ECC accelerators? They dealt with that. Gone.
Support for symmetric crypto accelerators? They dealt with that. Gone.
Vectorized C and ASM cipher implementations? They dealt with that. Gone.
Portability to *anything* not OpenBSD? They dealt with that, too.

LibreSSL - "how to turn a crusty SSL library into a academic toy"

Re: no credibility (1)

Anonymous Coward | about 4 months ago | (#47120763)

The accelerators are still there. They just use OpenBSD's unified /dev/crypto interface. In fact, for years OpenBSD's OpenSSL was the only one that did HW acceleration out-of-the-box and with no configuration except a single sysctl.conf option.

Re:no credibility (1)

iggymanz (596061) | about 4 months ago | (#47120883)

nonsense, it was the openssl code that had crufty incorrect methodology for being "portable", #ifdef hell and a contrived c dialect.

The openbsd team's changes are making the code easily portable just as openssh and their other major projects are, and after building the openbsd version they'll then focus on the portable version

Security audit?!! (1)

Java Pimp (98454) | about 4 months ago | (#47120629)

I hope they don't shut the project down... abruptly and without warning...

Re:Security audit?!! (1)

cpghost (719344) | about 4 months ago | (#47122979)

I hope they don't shut the project down... abruptly and without warning...

You mean with warning... not to use OpenSSL, but rely on Microsoft's NSA-infested crypto-libraries like TrueCrypt did with its BitLocker recommendation?

fros&t pist (-1)

Anonymous Coward | about 4 months ago | (#47120837)

conflicts that What provid3s the

I'm thinking of other acronyms (1)

ThatsNotPudding (1045640) | about 4 months ago | (#47121035)

Whoever is hired to fix OpenSSL will instantly receive an NSL to STFU and put in an NSA backdoor.

Re: I'm thinking of other acronyms (1)

jd2112 (1535857) | about 4 months ago | (#47122049)

And that differs from libreSSL in what way?

Re:I'm thinking of other acronyms (0)

Anonymous Coward | about 4 months ago | (#47123389)

Whoever is hired to fix OpenSSL will instantly receive an NSL to STFU and put in an NSA backdoor.

The fact that they do not use USA cryptographers and possibly developers just because of crap like you suggested
and the FBI provided backdoor attempt a few years back.

Just Typical (0)

Anonymous Coward | about 4 months ago | (#47121427)

This is so typical of corporate clueless management. You have some expert developers with really good track records who have looked at the OpenSSL code and declared it unfit to live. They are already doing the right thing and rewriting it (LibreSSL). The clueless mgmt comes along and commits resources to "Exactly The Wrong Thing" despite having enough information available to them to make a good decision.
Are there any developers out there who have not experienced this same situation? We all know this will guarantee a crappy product (OpenSSL).

not a crypto problem (1)

Gothmolly (148874) | about 4 months ago | (#47122277)

So don't bring in cryptographers. Heartbleed was a bonehead entry level programming error based on some arguably foolish decision about performance improvements. Read the code cleanup comments at libressl.org.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>