DoD team nears Security Validation of OpenSSL
tadelste writes "An important DoD program took a page from Open Source and Do-It-Yourself-IT (DIYIT) and applied for their own Security Validation. In this article Steve Marquess says:as a taxpayer, I felt very annoyed. But it made me realize a couple of things. First, if OpenSSL had been validated, then it was possible for us to do it again. Secondly, if we could do it we could save a lot of money for the program."
- Government pays directly for certifying open source products
- Private companies "use" the open source product in their own commercial (very expensive) offerings, pay for the certification, then sell the (largely open source) products at a substantial markup to the government
You save a few pennies in the first option by no longer having the government pay for certification, but you lose many times over in the markup"dope will get you through times of no money better than money will get you through times of no dope"
Since they are having to revalidate the same code others have already validated (albeit with some modifications) but its still a good thing to see DoD at least attempting to use my tax dollars smarter, by spending the time to formally validate open source software instead of buying proprietary software for hundreds of thousands of dollars, that contains basically the same code.
Any time the Govt. decides to use Free software instead of MS stuff, I also sleep better at night, for several reasons.
Tequila: It's not just for breakfast anymore!
BTW, this shows some of the GPL-camp fears: Too-free (as in BSD) code packaged into propietary apps... some people will not realize they can get the exact same code for free.
(the debate on "in licensing from private outfit you are paying for support of that free code" is left to the reader ;)
That summary is potentially misleading because it leaves out the reason why he was annoyed. Here is the whole paragraph:
Because OpenSSL has a BSD-style license, many vendors simply grabbed the source code and incorporated it into their proprietary products. Those vendors wanted literally hundreds of thousands of dollars in licensing fees. As Steve attests, "as a taxpayer, I felt very annoyed. But it made me realize a couple of things. First, if OpenSSL had been validated, then it was possible for us to do it again. Secondly, if we could do it we could save a lot of money for the program."
So he was annoyed at vendors who he thought were ripping the governent off, not at the wastefullness of the government auditing OpenSSL as I read the summary to say.
In a lot of cases, when software is been written to do X thing, the DoD will goto lengths to write it from top to bottom.
OpenSSL has proven itself worthy on the battle field of the internet.
If by using OpenSSL, the DoD can design better systems faster that allow our troops to be more efficient (i.e. deadlier) and it costs us less money and the DoD returns any bugs it finds to the community, I don't see how this is a bad thing.
Yes Francis, the world has gone crazy.
yeah until its on 90% of desktops...then we'll see how secure it is
You miss the point entirely. OpenSSL have already been validated, and the source has been seen by thousands of other people. THAT is what makes it more secure. Its proven and open. OpenSSL isn't a "desktop", its a library for encryption. Its released under a BSD license, so Microsoft could include it in every copy of XP if it so chose to. Its not platform dependent.
And to further blow your smug theory away, any Unix like operating system will always be more secure than the current Windows systems by design. Its not an opinion, its a design choice that makes the software somewhat more difficult to use but gaining security. You CAN make a Unix like OS as insecure as a standard Windows install (hello Lindows) but you have to really try.
It would be nice if the "yea, wait until more people use Linux" had a clue what they were talking about, especially since has exactly NOTHING to do with Linux. Linus, to my knowledge, has not contributed to OpenSSL and it OpenSSL will work just fine with no need for Linux.
Tequila: It's not just for breakfast anymore!
What happens when OpenSSL makes a code fix? Does it all have to be re-validated? Do they supply a signed MD5 hash that says: "These sources are authorized for compiling a FIPS-140 compliant binary"?
There was a comment here on slashdot in the past few months (can't find it now) about if you want to create trustworthy code, you first need to trust every layer below it, and every tool used to create it. Did this team use a validated build of gcc to create their OpenSSL binaries?
Chip H.
I really hate to get pedantic, but OpenSSL is Free Software. According to the Free Software Foundation, the OpenSSL license is a Free Software license incompatible with the GPL.
What you should have said is that the Free Software Foundation recommends developers use the GNU TLS library, but using OpenSSL in non-GPL projects is perfectly okay. Remember, GPL licensed software is only a subset of Free Software.
The preceding comments reflect the author's personal opinion and are public domain, unless explicitly stated otherwise.
But technically the interesting point of the certification id that they managed to get the source code certified. There is at least one other open souce product Crypto++ that is also FIPS 140.2 validated (Certificate #343). But they only managed to get a compiled package validated, which does help me to trust the code but not really to "sell" the library to PHBs. The article doesn't really go into how they did get NIST to validate the source code. Anybody know more details?
suggesting that they just use OpenSSL for free rather than paying a commercial supplier for it is an "out of the box move" that "took guts"?
Yes.
We are talking about a huge bureaucracy here, one that has procedures established. These guys bucked the procedures and did something different, rather than doing the safe and expected thing. I can well believe that this took guts.
steveha
lf(1): it's like ls(1) but sorts filenames by extension, tersely