Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenSSL Revalidated Following Suspension

Posted by Zonk on from the can't-keep-a-penguin-down dept.

lisah writes "Despite what looks like an organized effort to prevent it, OpenSSL has been revalidated by an independent testing agency for its ability to securely manage sensitive data and is ready for use by governmental agencies like the Department of Defense. According to the Open Source Software Institute, who has been overseeing the validation process for the last five years (something that typically only takes a few months), it seems that the idea of an open source SSL toolkit didn't sit right with proprietary vendors of similar products. A FUD campaign was launched against OpenSSL that resulted in a temporary suspension of its validation. Developers and volunteers refused to give up the ghost until the validation was reinstated, and Linux.com has the story of the project's long road to success." Linux.com and Slashdot are both owned by OSTG.

10 of 51 comments (clear)

  1. Re:Let me be the first to say... by damiangerous · · Score: 4, Insightful

    How does that make validation meaningless? That you can write an insecure app no matter the toolkit is irrelevant. What's relevant is that cannot write a secure app with an insecure toolkit.

  2. Then let me be the first to answer . . . by mmell · · Score: 5, Insightful
    Non-validated tools are worthless. The likelihood of their being used as tools by any branch of the government (including the banks) is virtually nil today. D'you really think business will follow where the government/banking industry won't go, or end users (with no business or government end-points to connect to)?

    And of course, any moron can "write an insecure application" using any tools. Writing a secure application, OTOH . . .

  3. Not necessarily... by lisah · · Score: 4, Insightful

    Well, it's not necessarily "meaningless." It would be great to see more governmental agencies choosing open source options but, from what I understand, when it comes to managing sensitive data, only software that is tested and proven to be reliable and secure can be used -- hence OpenSSL's validation process. Sure, it's important to use the tools wisely but, without the FIPS validation, this open source tool can't be used by the government in the first place.

    1. Re:Not necessarily... by lymond01 · · Score: 4, Insightful

      I believe he means it's technically meaningless while others are arguing that it's beaurocratically important. The specs for validation aren't so difficult to meet, but if you don't go through the process, no one wants to use your software.

      Like us: if you don't have that MCSE on your resumé, we don't want you.

      Oh, wait. Yes we do...

  4. Re:Let me be the first to say... by Anonymous Coward · · Score: 3, Insightful

    Validation is meaningless.

    Is the government allowed to use OpenSSL if it is not validated?

    If not, then I don't think the word "meaningless" means what you think it means.

  5. Re:zzzz..... by stratjakt · · Score: 4, Insightful

    No, but like they say in the article, it delayed their validation, because it's easier to criticize something open source, you can pull open the code and point at something and say "see see". The OpenSSL team cant make the same accusations against a closed source product, because the code isnt available - trade secret.

    Validation is somewhat less meaningful for OSS because of this - anyone (assuming the proper skill level) could look at the code, and see for themselves if the criticisms have any merit. With a closed solution, all you have to go on is the validation - that stamp of approval.

    You are correct though, this isnt that big a deal, it's just about OSS so it's /. news.

    --
    I don't need no instructions to know how to rock!!!!
  6. Huh? by teridon · · Score: 4, Insightful

    FTA:
    Since all of OpenSSL's source code has passed the testing process, now developers can focus on compiling binary libraries and submitting those for validation

    Someone please explain to me why binaries aren't good enough for the first review, then later they are? Who says the new source code is "secure"?

    Why didn't they require source code review for vendor products?

    --
    I hold it, that a little rebellion, now and then, is a good thing. -- Thomas Jefferson
  7. Misconceptions in the write-up by Cerebus · · Score: 5, Informative

    1. FIPS 140 validations taking a long time is not unusual.

    2. OpenSSL was validated as *source*. All other FIPS 140 validations are of *object code* or devices. This is the first cryptomodule to be validated in source form and contributed to the time taken to validate.

    3. The OpenSSL original cert was suspended because there was a small bit crypto code that resided outside the security boundary. Confusion between sponsor, lab, and NIST contributed to the suspension. See #2.

    4. Claims of vendor FUD are overblown. NSS, another Open Source cryptomodule, already has FIPS 140-1 certification (for version 3.6; 3.11 will be entering FIPS 140-2 eval soon).

    --
    -- Cerebus
  8. who were behind the complaints .. by rs232 · · Score: 4, Informative

    "We called it the FUD campaign," he says. "There were all kinds of complaints sent to the CMVP including one about 'Commie code.'"

    'While OSSI was not able to review each complaint the CMVP received, the ones they did see often contained redacted, or blacked-out, data about who had filed the complaint. Some documents, however, did reveal the complainant information, and Weathersby says that is how the OSSI became aware that, in some cases, proprietary software vendors were lodging the complaints'

    --
    davecb5620@gmail.com
  9. It was not a cheap process either... by wherrera · · Score: 4, Informative

    It seems to have cost over US$ 120,000 (by 2006) to certify, not including volunteer hours:

    http://groups.google.com/group/mailing.openssl.use rs/browse_frm/thread/7aa07e7a6ba9bbe8/d3c4113f0a49 998a?lnk=st&q=cost+FIPS+certification&rnum=3&hl=en #d3c4113f0a49998a