Slashdot Mirror
OpenSSL 1.0.0 Released
hardaker writes "After over 11 years of development since the start of the OpenSSL Project (1998-12-23), OpenSSL version 1.0.0 has finally hit the shelves of the free-for-all store."
← Back to Stories (view on slashdot.org)
I'm running Debian stable so it'll be another 10 years until it hits the repos.
Meh. I never run version 1.0 of anything.
How can I believe you when you tell me what I don't want to hear?
Just in time for commonplace MiTM spoofing.
That little lock on your browser window indicating you are communicating securely with your bank or e-mail account may not always mean what you think its means.
Normally when a user visits a secure website, such as Bank of America, Gmail, PayPal or eBay, the browser examines the website's certificate to verify its authenticity.
At a recent wiretapping convention, however, security researcher Chris Soghoian discovered that a small company was marketing internet spying boxes to the feds. The boxes were designed to intercept those communications -- without breaking the encryption -- by using forged security certificates, instead of the real ones that websites use to verify secure connections. To use the appliance, the government would need to acquire a forged certificate from any one of more than 100 trusted Certificate Authorities.
The attack is a classic man-in-the-middle attack, where Alice thinks she is talking directly to Bob, but instead Mallory found a way to get in the middle and pass the messages back and forth without Alice or Bob knowing she was there.
The existence of a marketed product indicates the vulnerability is likely being exploited by more than just information-hungry governments, according to leading encryption expert Matt Blaze, a computer science professor at University of Pennsylvania.
"If the company is selling this to law enforcement and the intelligence community, it is not that large a leap to conclude that other, more malicious people have worked out the details of how to exploit this," Blaze said.
http://www.wired.com/threatlevel/2010/03/packet-forensics/
"Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
Be sure to encrypt your Ovaltine!
http://marc.info/?l=openssl-announce&m=126987886907671&w=2
http://www.openssl.org/source/exp/CHANGES
-molo
Using your sig line to advertise for friends is lame.
Fantastic! It's finally ready for production use! I can't until websites start using openssl! And I'll even be able to use a secure shell! Awesome!!
Be relentless!
From the Changelog:
Now that the first version is finally in relaase, how long before the first set of changes hits? Everybody knows 1.0 of anything is full of bugs.
And on a more serious note, did anyone ever publish a specification of what a 1.0 release should have in it? Or is this somewhere between "declare victory" and "declare exhaustion"?
Behold, this dreamer cometh. Come now, and let us slay him... and we shall see what will become of his dreams.
openssl(1): [STILL INCOMPLETE]
ssl(3): [STILL INCOMPLETE]
crypto(3): [STILL INCOMPLETE]
HOWTO: [STILL INCOMPLETE]
I would trade in the last 12 months worth of OpenSSL development for some decent documentation. [STILL INCOMPLETE] is a half truth as well; the complete bits suck in novel ways.
Looking over the changelog, it appears Google sponsored alot of the changes.
Guess they wanted to make sure openSSL is a good bit more secure, being that it's a hot button issue and all.
import system.cool.Sig;
Why do they call it Ovaltine? The mug is round. The jar is round. They should call it Roundtine.
There's no -1 for "I don't get it."
Easy enough to get around for in-person banks: Have them post their credentials on the walls of their buildings and have a take-home flyer with the same information printed on it.
This won't work for Internet banking and it will cause issues if the bank itself ever changes keys, but barring that it should work. Of course, this assume people who care enough to check.
On a more practical note, web browsers that keep local copies of credentials or at least credential-digests then alert when one changes will provide some protection. However, that won't help me if I'm under surveillance and the feds are playing man-in-the-middle with my Internet banking AND when I call the bank's phone number: If an FBI agent acting as a phone teller says "Yes, sorry about that, some Chinese hacker stole our key, yes, the new key is legit," I'm not likely to drive down to my nearest branch - which may be halfway across the country - to check it out.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Why the flip does it need to depend on perl5? I'll never get ssh running on 386BSD this way.
OpenSSL has until now had the least stable ABI of all commonly used Unix libraries. Having to upgrade half the system for a change from 0.98f to 0.98g is rather sad. Especially when bug fixes come with ABI changes.
Finally! A year of moderation! Ready for 2019?
My first thought was that they just ran out of digits in the 0.9 space! :p
(but seriously... great product, I make use of it myself)
ON DELETE CASCADE
Actually, if your library version is the same as project release version, the numbering scheme matters very much, since it's well-defined in the UNIX (or at least ELF?) environment - for version a.b, all a.x versions must be ABI forward-compatible: if it runs with 1.0, it must also run with 1.1; if it runs with 1.1, it might not run with 1.0 (usually, a third number is added for non-ABI-changing updates). Traditionally, if you don't want to guarantee ABI compatibility just yet, you use a=0.
...or taking so long to start guaranteeing ABI compatibility, since not having it is a royal PITA.
You could say the "mistake" OpenSSL might have done is tying its shared library version with the project release version (which is not really neccessary).
It's not the fall that kills you. It's the sudden stop at the end. -Douglas Adams
Everybody knows 1.0 of anything is full of bugs.
This is actually changing somewhat, at least when it comes to open source. Go through the repository for any major Linux distro and note how many pre-1.0 packages there are. They may be "pre-release," but that doesn't mean that the quality is terrible.
Remember that an increment in the major version indicates a significant "milestone" of one type or another. Traditionally, the milestone has been the addition of a major set of features. But some open-source packages are using it to mean "release quality." In other words, 1.0 is actually very stable and feature-complete, and that's the milestone that's been achieved to warrant the major-version change.
That's not to say this is universal. A well-known example would be KDE 4.0 (please, let's keep flames, trolls, and holy wars to a minimum), which was a huge leap from the 3.x series. The jump made the major-version change necessary, but everybody admits that it was never ready (nor meant to be ready) for daily use.
In the commercial world, however, releases mark a money-making milestone: the company can now market a large set of new features to sell! "Now with more bugs!" should be on the box. That's why the traditional model of software versions makes you wary of the big 1.0.
Not bloody likely. OpenSSL and OpenSSH are a wee bit bigger than ubuntu, imo.
Sent from my PDP-11
You mean the WINDOWS approach. You know that MS started that “trend”, and that we all hated it, back then?
We still do, for the same reasons.
Also, software doesn’t go stale, so your “argument” is false. If there is nothing to change, because it is fine as it is, and nobody finds bugs despite searching for them, would you stop using a program, just because it’s older??
The reason MS introduced date version numbers, was to HIDE that actually not much changed, and that a update wasn’t worth at all. Because their incomes depended on us buying yet another “new” version.
Now they went back to version numbers.
The really sad thing is, that the open source desktop groups imitate every little completely retarded change from MS (who itself imitate(d|s) Apple, Xerox and others). But cares, to make it that little bit worse and more annoying. KDE is a perfect example. The Kicker menu, the file browser, etc. You could put a Windows skin on it, rename the menu entries, and you would only know the difference to Windows by which one is more annoying. (Dolphin even still imitates things that MS did in Windows 95, like the single-click interface, and that they realized was a horrible idea, a bit later.)
I wish they would grow some balls, stop using the “newbie” excuse, and show that they can lead the way into something better, instead of guaranteeing to never ever surpass MS, by just imitating every crappy thing from them as a self-enforced eternal bridesmate.
Any sufficiently advanced intelligence is indistinguishable from stupidity.
The feds don`t need to do mitm between you and your bank. If they want to go to the trouble of checking your banking activity, they probably have enough evidence to get a search warrant from a judge. It`s your common communications like phone and e-mail that the police want to be able to snoop on without the hassle of a court order. The feds get a copy of major money movements from the domestic banks anyways, and they can figure out how much you have from the interest statements transmitted to the tax collection branch of government. Foreign banks in tax havens are admittedly a different matter, but that isn't a concern for most of the population.
The people that want to do mitm attacks between you and your (domestic or foreign) bank are the criminals that want to pilfer your accounts.
Laissez lire, et laissez danser; ces deux amusements ne feront jamais de mal au monde. - Voltaire
I echo my sibling's comment in that I have no problem at all with the website's style - I'd far rather have a simplistic straightforward HTML-driven site than some stupid Javascript-redirect-driven graphic-design student project. This is really important for security-related software distribution sites where it's necessary to be absolutely sure where your downloads are coming from.
The site does however have some problems with organisation of content - e.g. it'd be nice if they followed some more de-facto site-structure conventions like having a "Downloads" link to a page which provides the source tarballs, and states explicitly that there are no binaries available ... and maybe even provides links to the more common Linux distro repositories where binaries may be found, even places where (gasp) Windows binaries can be found .... like http://www.stunnel.org/download/binaries.html (the place I always used to go to get my Windows OpenSSL binaries, but which seems a little unmaintained these days) .... or http://www.slproweb.com/products/Win32OpenSSL.html (which is a lot more up to date, and professionally organised).
There is an openssl.org page with info about Win32 binaries :
http://www.openssl.org/related/binaries.html
(which links to the www.slproweb.com site) but it's not easy to find (IMHO).
And then there's the awful documentation, as many others have mentioned. I'd offer to help out with that if I was half-way crypto-competent enough to do so.
But the site's retro style is fine ... the use of colours is restful on the eyes, and avoids use of the stupid 2-point flyspec fonts so beloved of those whose eyes are much younger than mine and who aren't worrying about damaging them :)
If you don't pray in my school, I won't think in your church.
If they want to go to the trouble of checking your banking activity, they probably have enough evidence to get a search warrant from a judge.
This is the important bit, and we don't want it to change. if SSL wiretapping is practicable for the cops, there is now a possibility that it could change.
Which would suck.
DRM: Terminator crops for your mind!
You mean the WINDOWS approach. You know that MS started that “trend”, and that we all hated it, back then?
We still do, for the same reasons.
Actually, Adobe did it with Illustrator way back in 88.
Also, software doesn’t go stale, so your “argument” is false. If there is nothing to change, because it is fine as it is, and nobody finds bugs despite searching for them, would you stop using a program, just because it’s older??
Lots of software goes stale. Libraries cease to work with newer file formats and/or protocols. Programs don't understand newer formats or keep supporting features deprecated ages ago.
Granted, some software can stay the same for decades, but there is a lot that does need updating to keep with the times.
I stand by my argument that having a release with a "date stamp" makes it easier to keep track of these things. It's by no means the only approach, but it a perfectly sensible one.
.: Max Romantschuk
It is widely understood that when converting version numbers between closed-source and open-source revision schemes, you should always shift the decimal point one space to the left.
ClosedSource 1.0 = OpenSource 0.1
Finally had enough. Come see us over at https://soylentnews.org/
er, wait. as a kde user, i'm still on kde3, and i could have many complaints about kde4. but...
1. kicker is actually very nice. and i'm saying that as a quite conservative user :)
one *annoying* thing in kde3 version (as per suse) - it opens when mouse is moved in the lower left corner. i hope that thing is at least configurable in kde4, though.
2. single click is actually good... if implemented correctly (which ms never did, which is one of the main reasons it pretty much died off). :) (and that was around kde2/3)
and the select/unselect method dolphin provides is extremely cool (even if i use console for my file management needs 95% of the time) - i find myself missing it when using kde3 daily for some photo sorting.
besides, you can set kde to doubleclick - although i don't remember where exactly, i set it to be like that only for the first few months when i switched from windows
Rich
... Duke Nukem Forever has ALSO been released.
On the up side, it only takes one mouse click and a pop up that says "Are you sure you want to get burnt?" to do so.
Tequila: It's not just for breakfast anymore!
There is no mathematical difference between a date stamp and a version stamp if they both increment by arbitrary amounts over releases and programmers can't move backward in time.
I don't understand why anyone would discuss such a difference at all.
See the versioning scheme for TeX for another option.
- Michael T. Babcock (Yes, I blog)
Thing is, Red Hat and friends stopped waiting and already moved to NSS over three years ago. http://en.wikipedia.org/wiki/Network_Security_Services
Kriston
There is no mathematical difference between a date stamp and a version stamp if they both increment by arbitrary amounts over releases and programmers can't move backward in time.
Good point. :)
I'd heard of the TeX approach before. I like it, but personally I don't have that much fate in the architectural direction most projects to see it as a viable option for universal adoption. ;)
.: Max Romantschuk