Slashdot Mirror
OpenSSL 1.0.0 Released
hardaker writes "After over 11 years of development since the start of the OpenSSL Project (1998-12-23), OpenSSL version 1.0.0 has finally hit the shelves of the free-for-all store."
← Back to Stories (view on slashdot.org)
I'm running Debian stable so it'll be another 10 years until it hits the repos.
Meh. I never run version 1.0 of anything.
How can I believe you when you tell me what I don't want to hear?
Just in time for commonplace MiTM spoofing.
That little lock on your browser window indicating you are communicating securely with your bank or e-mail account may not always mean what you think its means.
Normally when a user visits a secure website, such as Bank of America, Gmail, PayPal or eBay, the browser examines the website's certificate to verify its authenticity.
At a recent wiretapping convention, however, security researcher Chris Soghoian discovered that a small company was marketing internet spying boxes to the feds. The boxes were designed to intercept those communications -- without breaking the encryption -- by using forged security certificates, instead of the real ones that websites use to verify secure connections. To use the appliance, the government would need to acquire a forged certificate from any one of more than 100 trusted Certificate Authorities.
The attack is a classic man-in-the-middle attack, where Alice thinks she is talking directly to Bob, but instead Mallory found a way to get in the middle and pass the messages back and forth without Alice or Bob knowing she was there.
The existence of a marketed product indicates the vulnerability is likely being exploited by more than just information-hungry governments, according to leading encryption expert Matt Blaze, a computer science professor at University of Pennsylvania.
"If the company is selling this to law enforcement and the intelligence community, it is not that large a leap to conclude that other, more malicious people have worked out the details of how to exploit this," Blaze said.
http://www.wired.com/threatlevel/2010/03/packet-forensics/
"Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
Be sure to encrypt your Ovaltine!
http://marc.info/?l=openssl-announce&m=126987886907671&w=2
http://www.openssl.org/source/exp/CHANGES
-molo
Using your sig line to advertise for friends is lame.
Fantastic! It's finally ready for production use! I can't until websites start using openssl! And I'll even be able to use a secure shell! Awesome!!
Be relentless!
Version 1.0 and I'm sure the docs are all outdated as they always have been. They really need to get their shit together when it comes to some decent documentation.
From the Changelog:
Now that the first version is finally in relaase, how long before the first set of changes hits? Everybody knows 1.0 of anything is full of bugs.
And on a more serious note, did anyone ever publish a specification of what a 1.0 release should have in it? Or is this somewhere between "declare victory" and "declare exhaustion"?
Behold, this dreamer cometh. Come now, and let us slay him... and we shall see what will become of his dreams.
openssl(1): [STILL INCOMPLETE]
ssl(3): [STILL INCOMPLETE]
crypto(3): [STILL INCOMPLETE]
HOWTO: [STILL INCOMPLETE]
I would trade in the last 12 months worth of OpenSSL development for some decent documentation. [STILL INCOMPLETE] is a half truth as well; the complete bits suck in novel ways.
Looking over the changelog, it appears Google sponsored alot of the changes.
Guess they wanted to make sure openSSL is a good bit more secure, being that it's a hot button issue and all.
import system.cool.Sig;
Why do they call it Ovaltine? The mug is round. The jar is round. They should call it Roundtine.
There's no -1 for "I don't get it."
Easy enough to get around for in-person banks: Have them post their credentials on the walls of their buildings and have a take-home flyer with the same information printed on it.
This won't work for Internet banking and it will cause issues if the bank itself ever changes keys, but barring that it should work. Of course, this assume people who care enough to check.
On a more practical note, web browsers that keep local copies of credentials or at least credential-digests then alert when one changes will provide some protection. However, that won't help me if I'm under surveillance and the feds are playing man-in-the-middle with my Internet banking AND when I call the bank's phone number: If an FBI agent acting as a phone teller says "Yes, sorry about that, some Chinese hacker stole our key, yes, the new key is legit," I'm not likely to drive down to my nearest branch - which may be halfway across the country - to check it out.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
...but when it comes to version numbers I've grown fond of Ubuntu's approach, with month and year as the version. It makes it very simple to tell if you have a fresh or stale copy of something.
But then again, OpenSSL is a library. Version numbering schemes hardly matter for something like that.
.: Max Romantschuk
Why the flip does it need to depend on perl5? I'll never get ssh running on 386BSD this way.
OpenSSL has until now had the least stable ABI of all commonly used Unix libraries. Having to upgrade half the system for a change from 0.98f to 0.98g is rather sad. Especially when bug fixes come with ABI changes.
Finally! A year of moderation! Ready for 2019?
Iphone OS 45.6 ?
My first thought was that they just ran out of digits in the 0.9 space! :p
(but seriously... great product, I make use of it myself)
ON DELETE CASCADE
and so do many other stuff, just getting ready to be included in the next LTS version, which should be installed in a number of computers that just a few years ago no one could have even imagined.
So.. just coincidence? should we really thank canonical for this version-number pushing effort? It looks this way.
Regards
personally, I miss the 1990s.. when links to files were not huge masses of redirecting javascript designed to make the visitor jump through hoops to download a simple file. index of / is good enough for me.
Everybody knows 1.0 of anything is full of bugs.
This is actually changing somewhat, at least when it comes to open source. Go through the repository for any major Linux distro and note how many pre-1.0 packages there are. They may be "pre-release," but that doesn't mean that the quality is terrible.
Remember that an increment in the major version indicates a significant "milestone" of one type or another. Traditionally, the milestone has been the addition of a major set of features. But some open-source packages are using it to mean "release quality." In other words, 1.0 is actually very stable and feature-complete, and that's the milestone that's been achieved to warrant the major-version change.
That's not to say this is universal. A well-known example would be KDE 4.0 (please, let's keep flames, trolls, and holy wars to a minimum), which was a huge leap from the 3.x series. The jump made the major-version change necessary, but everybody admits that it was never ready (nor meant to be ready) for daily use.
In the commercial world, however, releases mark a money-making milestone: the company can now market a large set of new features to sell! "Now with more bugs!" should be on the box. That's why the traditional model of software versions makes you wary of the big 1.0.
I'm waiting until Service Pack 2.
Poor means hoping the toothache goes away.
So surely that means it's gotten rid of all that certificate nonsense, right?
Go read Peter Gutmann's X.509 Style Guide if you want to cry. If that doesn't work, try implementing an ASN.1 library from scratch.
I'll take SSH and SPKI any day over the X.509/TLS mess.
http://outcampaign.org/
In some of these open source projects, version 1.0 is like the first time the odometer in your car rolls over. Or like a couple who finally decide to get married after 15 years of living in sin. I wonder if this big decision involved a trip to Vegas.
Version 1.0 isn't that different from getting marriage. Some enter into it on the basis of hope and enthusiasm with neither experience nor skill, while others circle each other like planets in a decaying orbit.
A long run in the zero point nineties is like the people who are technically married, but have not yet escaped their parents' basements, lacking either the spirit or means of independence.
Then comes the bold and tremulous day when they finally cut the apron strings, while everyone stands around in state of genuine micro-perplexity going "I had no idea".
I read the other day that the dung beetle has been discovered to be one of the world's strongest organisms by body mass. I've never seen a single dung beetle toting a Champagne magnum. It's clear they can't get the cork out. Or maybe no one has figured out how to make the bubbles small enough to fit in the bottle.
The feds don`t need to do mitm between you and your bank. If they want to go to the trouble of checking your banking activity, they probably have enough evidence to get a search warrant from a judge. It`s your common communications like phone and e-mail that the police want to be able to snoop on without the hassle of a court order. The feds get a copy of major money movements from the domestic banks anyways, and they can figure out how much you have from the interest statements transmitted to the tax collection branch of government. Foreign banks in tax havens are admittedly a different matter, but that isn't a concern for most of the population.
The people that want to do mitm attacks between you and your (domestic or foreign) bank are the criminals that want to pilfer your accounts.
Laissez lire, et laissez danser; ces deux amusements ne feront jamais de mal au monde. - Voltaire
I echo my sibling's comment in that I have no problem at all with the website's style - I'd far rather have a simplistic straightforward HTML-driven site than some stupid Javascript-redirect-driven graphic-design student project. This is really important for security-related software distribution sites where it's necessary to be absolutely sure where your downloads are coming from.
The site does however have some problems with organisation of content - e.g. it'd be nice if they followed some more de-facto site-structure conventions like having a "Downloads" link to a page which provides the source tarballs, and states explicitly that there are no binaries available ... and maybe even provides links to the more common Linux distro repositories where binaries may be found, even places where (gasp) Windows binaries can be found .... like http://www.stunnel.org/download/binaries.html (the place I always used to go to get my Windows OpenSSL binaries, but which seems a little unmaintained these days) .... or http://www.slproweb.com/products/Win32OpenSSL.html (which is a lot more up to date, and professionally organised).
There is an openssl.org page with info about Win32 binaries :
http://www.openssl.org/related/binaries.html
(which links to the www.slproweb.com site) but it's not easy to find (IMHO).
And then there's the awful documentation, as many others have mentioned. I'd offer to help out with that if I was half-way crypto-competent enough to do so.
But the site's retro style is fine ... the use of colours is restful on the eyes, and avoids use of the stupid 2-point flyspec fonts so beloved of those whose eyes are much younger than mine and who aren't worrying about damaging them :)
If you don't pray in my school, I won't think in your church.
If they want to go to the trouble of checking your banking activity, they probably have enough evidence to get a search warrant from a judge.
This is the important bit, and we don't want it to change. if SSL wiretapping is practicable for the cops, there is now a possibility that it could change.
Which would suck.
DRM: Terminator crops for your mind!
"If you like MS, you run version 3.1 or get burnt trying."
... get burnt.
If you like MS, you
Lets look at some of the quotes:
"I've read studies and heard speeches in academic circles that theorize that concept, but we never would issue a 'fake' SSL certificate,"
"we have never had a single instance where law enforcement asked us to do something inappropriate."
"Verisign has never issued a fake SSL certificate, and to do so would be against our policies," said vice president Tim Callan.
Lets see they can issue real certificates to the government for any domain that the government wants. They feel that it is appropriate because they are helping the government. The government probably said that they were helping to catch terrorists.
Is it possible to have a double or triple signed certificate so that several CA would have to sign?
It is widely understood that when converting version numbers between closed-source and open-source revision schemes, you should always shift the decimal point one space to the left.
ClosedSource 1.0 = OpenSource 0.1
Finally had enough. Come see us over at https://soylentnews.org/
... Duke Nukem Forever has ALSO been released.
Thing is, Red Hat and friends stopped waiting and already moved to NSS over three years ago. http://en.wikipedia.org/wiki/Network_Security_Services
Kriston