Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenSSL 1.0.0 Released

Posted by Soulskill on from the sweet-when-is-2.0 dept.

hardaker writes "After over 11 years of development since the start of the OpenSSL Project (1998-12-23), OpenSSL version 1.0.0 has finally hit the shelves of the free-for-all store."

16 of 105 comments (clear)

  1. You insensitice clod... by comm2k · · Score: 5, Funny

    I'm running Debian stable so it'll be another 10 years until it hits the repos.

    1. Re:You insensitice clod... by Cyclops · · Score: 3, Insightful

      Or monkeying with the random number generator.

      After being ignored by arrogant dolts who didn't bother to correct him and guide into providing a better fix.

    2. Re:You insensitice clod... by Al+Dimond · · Score: 4, Informative

      I'm pretty sure the only place the changes were committed was Debian patch repos. The whole thing is pretty much Debian-specific.

      I think you're trying to make a larger point, so I'll make a larger semi-rebuttal. If projects only gave commit access to people that understood the whole code base they'd never get anything done. Developers with the power to commit, whether to Debian's repository or upstream, should be aware of which code they understand. They should ask questions when they don't understand something, and they shouldn't commit it until they understand the consequences.

      I have commit access for Audacity and there are many parts of the program I don't know very well. That's how I operate. Anyone committing changes to OpenSSL ought to at least be as careful as I am with Audacity. I'm sure the actual OpenSSL project is a lot less permissive about giving access to their own repositories, and they probably review changes more closely.

      Debian seems to carry a lot of patches against a lot of programs and doesn't seem to ensure the same level of quality. At the same time, Debian has more resources for bug tracking and user reporting than many projects, and maintains security backports for projects that are unwilling. It's a bit of a mixed bag.

  2. 1.0.0 by pushing-robot · · Score: 4, Funny

    Meh. I never run version 1.0 of anything.

    --
    How can I believe you when you tell me what I don't want to hear?
  3. Geee! by Philip+K+Dickhead · · Score: 4, Informative

    Just in time for commonplace MiTM spoofing.

    That little lock on your browser window indicating you are communicating securely with your bank or e-mail account may not always mean what you think its means.

    Normally when a user visits a secure website, such as Bank of America, Gmail, PayPal or eBay, the browser examines the website's certificate to verify its authenticity.

    At a recent wiretapping convention, however, security researcher Chris Soghoian discovered that a small company was marketing internet spying boxes to the feds. The boxes were designed to intercept those communications -- without breaking the encryption -- by using forged security certificates, instead of the real ones that websites use to verify secure connections. To use the appliance, the government would need to acquire a forged certificate from any one of more than 100 trusted Certificate Authorities.

    The attack is a classic man-in-the-middle attack, where Alice thinks she is talking directly to Bob, but instead Mallory found a way to get in the middle and pass the messages back and forth without Alice or Bob knowing she was there.

    The existence of a marketed product indicates the vulnerability is likely being exploited by more than just information-hungry governments, according to leading encryption expert Matt Blaze, a computer science professor at University of Pennsylvania.

    "If the company is selling this to law enforcement and the intelligence community, it is not that large a leap to conclude that other, more malicious people have worked out the details of how to exploit this," Blaze said.

    http://www.wired.com/threatlevel/2010/03/packet-forensics/

    --
    "Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
    1. Re:Geee! by Enleth · · Score: 3, Interesting

      The issue is the one of encryption vs. authentication vs. both at the same time, and the fact that SSL/TLS was designed to provide both at the same time only, without any sane way to provide just one of those things at a time, as opposed to, e.g., PGP.

      I'm no cryptographer, just a part-time server administrator (and other things too, but this is irrelevant), but my experience, together with plain, old common sense tells me that things would be much easier for both administrators and security guys (is there a proper name for them?) if the concepts of data encryption on the wire and authentication of the other party were separated both in protocol and implementation. Besides the obvious benefit of being able to encrypt the connection without those silly, cartel-provided certificates (even without indicating anything at all to the user, so they don't get a false sense of having more security in place than there is, default encryption of the most popular protocols would do much to thwart all but the most determined wiretapping and eavesdropping attempts), such a separation into two distinct technologies should make it a lot harder to break both things at the same time, and a lot easier to fix any single one of them that someone managed to break without affecting the other.

      Of course I could be wrong, and even if I'm not, there's too much inertia in technology and too much money in the SLL certificate cartels for anything to change in this direction, but at least I still have my right to rant a little bit.

      --
      This is Slashdot. Common sense is futile. You will be modded down.
    2. Re:Geee! by pushing-robot · · Score: 3, Insightful

      To use the Packet Forensics box, a law enforcement or intelligence agency would have to install it inside an ISP, and persuade one of the Certificate Authorities — using money, blackmail or legal process — to issue a fake certificate for the targeted website. Then they could capture your username and password, and be able to see whatever transactions you make online.

      Granted, TFA states that a hacker could potentially circumvent the more difficult parts by using social engineering—registering a certificate that looks like it matches a particular web site and hoping surfers will manually accept it. But that's again a problem with the certificate authority and/or user, not SSL itself.

      All the article really boils down to is that SSL is useless if the client and server can't trust the certificate authority. Which should be freaking obvious.

      --
      How can I believe you when you tell me what I don't want to hear?
    3. Re:Geee! by Anonymous Coward · · Score: 3, Funny

      Like OMFG! Mallory you are such a bitch!

      - Alice

    4. Re:Geee! by rmm4pi8 · · Score: 4, Informative

      I'm sorry to say it, but if you want privacy, this is wrong. You can have authentication without encryption (digital signatures) but encryption without authentication = Man in the Middle. PGP and SSH don't get around this in any way, shape, or form--they just seed trust differently, with PGP using the web-of-trust model and SSH a repeatability model. Neither of those work very well for the classic "online banking" use case, however--average users are not going to seed their trust webs, and expect to be able to bank from computers at cafes, work, and friends' houses--none of which would have connected previously, making the SSH model unworkable.

      That's not to say there's nothing here--extensions to the SSL model like EV certs, DNSSEC, and phishing databases have all made these attacks harder. Perhaps browsers will implement web-of-trust or trust-history type extensions to make it harder yet. And it may well be the case that you simply cannot safely bank at computers you don't own, though with pre-shared keys and time-generated PINs both embedded into mailed fobs, the possibilities open up enormously as long as the execution is correct.

      But at the end of the day there's no true privacy without authentication built-in and for the core e-commerce use case, SSL is probably the best model.

      --
      U.S. War Crimes blog. Email for free Mandriva support.
  4. Release announcement and changelog by molo · · Score: 4, Informative

    http://marc.info/?l=openssl-announce&m=126987886907671&w=2

    http://www.openssl.org/source/exp/CHANGES

    -molo

    --
    Using your sig line to advertise for friends is lame.
  5. Waaahoo! by MarkRose · · Score: 4, Funny

    Fantastic! It's finally ready for production use! I can't until websites start using openssl! And I'll even be able to use a secure shell! Awesome!!

    --
    Be relentless!
  6. And in the better-late-than-never department by Accidental+Angel · · Score: 5, Funny

    From the Changelog:

    • BeOS support.
  7. 1.0 they finally got it right! by Tiger4 · · Score: 3, Interesting

    Now that the first version is finally in relaase, how long before the first set of changes hits? Everybody knows 1.0 of anything is full of bugs.

    And on a more serious note, did anyone ever publish a specification of what a 1.0 release should have in it? Or is this somewhere between "declare victory" and "declare exhaustion"?

    --
    Behold, this dreamer cometh. Come now, and let us slay him... and we shall see what will become of his dreams.
  8. Documentation by Anonymous Coward · · Score: 5, Insightful

    openssl(1): [STILL INCOMPLETE]
    ssl(3): [STILL INCOMPLETE]
    crypto(3): [STILL INCOMPLETE]
    HOWTO: [STILL INCOMPLETE]

    I would trade in the last 12 months worth of OpenSSL development for some decent documentation. [STILL INCOMPLETE] is a half truth as well; the complete bits suck in novel ways.

  9. Ovaltine by MrEricSir · · Score: 5, Funny

    Why do they call it Ovaltine? The mug is round. The jar is round. They should call it Roundtine.

    --
    There's no -1 for "I don't get it."
    1. Re:Ovaltine by Anonymous Coward · · Score: 3, Funny

      That's gold, Jerry. GOLD!