Slashdot Mirror

← Back to Stories (view on slashdot.org)

GoAhead/DMF Web Server Gets Micro-SSL Support

Posted by timothy on from the smallness dept.

JimCricket writes "The world's most popular embedded web server has gained something embedded developers have long wished for: support for a small (~50kB) SSL library designed specifically for embedded use. See the press release. The GoAhead WebServer, SSL, and Device Management Framework (from Art & Logic) can now be built into a secure, small-footprint, embedded web application platform."

4 of 10 comments (clear)

  1. From the link by Dancin_Santa · · Score: 3, Interesting

    Love the quote:

    Mocana's software is optimized for embedded systems and NOT based on large, slow open source code.

    That and a buck fifty will get you a cup of coffee here at Slashdot.

    But I wonder about the usability of this kind of thing on larger platforms. The link also says that the SSL component is supported on Linux, VxWorks, Solaris, and Windows. It is also CPU-independent so it could theoretically run on any platform in existence given the right hooks into the OS.

    Why isn't anyone else able to come up with an SSL library that is that small? I can't believe that with all the work going into creating these libraries that someone else hasn't been able to build one that small too. Or is there something that we are not being told (like while the binary is only 50K, the runtime memory requirements are much larger)

    1. Re:From the link by Anonymous Coward · · Score: 3, Interesting

      Why isn't anyone else able to come up with an SSL library that is that small? I can't believe that with all the work going into creating these libraries that someone else hasn't been able to build one that small too. Or is there something that we are not being told


      The reason is that there's bugger-all demand for this sort of thing. Most use of SSL is in standard servers. Then you've got web-enabled devices, most of which just use straight HTTP with passwords because it's assumed they'll only ever be accessed over a LAN. Of the rest, many are running some standard OS/embedded OS like Linux or WinCE where you've already got SSL support. Then there's little things like cellphones and whatnot which have got vendor-specific SSL support (possibly as WTLS) already. What's left is web-enabled devices that need SSL, don't already have it provided by the vendor, and aren't running a standard OS. This is a pretty small market.
    2. Re:From the link by onomatomania · · Score: 4, Informative

      It's probably because SSL is like the 800lb gorilla... There are many components of the process: exchanging credentials, establishing the session, parsing the ASN.1 certificates, verifying the authority chain, etc. There was an article posted to Slashdot a month or two ago where someone that had a cryptographical background analyzed a handful of open-source tunneling apps and declared that they really stunk from a security standpoing. One of his conclusions was that developers seemed to have come upon the huge complexity of SSL/TLS and thouht to themselves, "I don't need all that garbage, I'll just roll my own with only the relevent parts." However, his conclusion was that all that cruft and complexity of SSL was why it was secure and that with few exceptions the best choice would have been to simply use existing SSL libs, even if they were large and cumbersome. To do otherwise made certain compromises, making certain attacks more feasible.

    3. Re:From the link by acaird · · Score: 3, Insightful
      The reason is that there's bugger-all demand for this sort of thing.

      I disagree. Yes, there's little demand for the average OSS user, which means it's unlikely that you'll ever see an equivalent OSS SSL library, but the assumption that most embedded devices are LAN only isn't quite accurate, mostly because LANs are fading with the growing number of wireless network devices. The physical security that was provided by CAT-5 needs to be replaced with something, and the safest thing for vendors to do is not to rely on then consumer to cope with the alphabet soup of WEP/SSID/LEAP/RADIUS/whatever, but to impose security on the end user. SSL is probably the single most broadly available means of security - everyone has it, whether he knows it or not. When your next VCR/DVR/stereo/refrigerator has built-in wireless and web access, won't you be happier with SSL?

      On another note, the article also mentions that Mocana is also providing an SSH server for embedded devices. Finally. telnet may yet die the death it so deserves.

      --
      Power corrupts. PowerPoint corrupts absolutely. E. Tufte