Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenSSL 1.0.0 Released

Posted by Soulskill on from the sweet-when-is-2.0 dept.

hardaker writes "After over 11 years of development since the start of the OpenSSL Project (1998-12-23), OpenSSL version 1.0.0 has finally hit the shelves of the free-for-all store."

2 of 105 comments (clear)

  1. 1.0 they finally got it right! by Tiger4 · · Score: 3, Interesting

    Now that the first version is finally in relaase, how long before the first set of changes hits? Everybody knows 1.0 of anything is full of bugs.

    And on a more serious note, did anyone ever publish a specification of what a 1.0 release should have in it? Or is this somewhere between "declare victory" and "declare exhaustion"?

    --
    Behold, this dreamer cometh. Come now, and let us slay him... and we shall see what will become of his dreams.
  2. Re:Geee! by Enleth · · Score: 3, Interesting

    The issue is the one of encryption vs. authentication vs. both at the same time, and the fact that SSL/TLS was designed to provide both at the same time only, without any sane way to provide just one of those things at a time, as opposed to, e.g., PGP.

    I'm no cryptographer, just a part-time server administrator (and other things too, but this is irrelevant), but my experience, together with plain, old common sense tells me that things would be much easier for both administrators and security guys (is there a proper name for them?) if the concepts of data encryption on the wire and authentication of the other party were separated both in protocol and implementation. Besides the obvious benefit of being able to encrypt the connection without those silly, cartel-provided certificates (even without indicating anything at all to the user, so they don't get a false sense of having more security in place than there is, default encryption of the most popular protocols would do much to thwart all but the most determined wiretapping and eavesdropping attempts), such a separation into two distinct technologies should make it a lot harder to break both things at the same time, and a lot easier to fix any single one of them that someone managed to break without affecting the other.

    Of course I could be wrong, and even if I'm not, there's too much inertia in technology and too much money in the SLL certificate cartels for anything to change in this direction, but at least I still have my right to rant a little bit.

    --
    This is Slashdot. Common sense is futile. You will be modded down.