OpenSSL To Undergo Security Audit, Gets Cash For 2 Developers

Trailrunner7 (1100399) writes "Scarcely a month after announcing the formation of a group designed to help fund open source projects, the Core Infrastructure Initiative has decided to provide the OpenSSL Project with enough money to hire two full-time developers and also will fund an audit of OpenSSL by the Open Crypto Audit Project. The CII is backed by a who's who of tech companies, including Google, Microsoft, IBM, the Linux Foundation, Facebook and Amazon, and the group added a number of new members this week, as well. Adobe, Bloomberg, HP Huawei and Salesforce.com have joined the CII and will provide financial backing. Now, the OCAP team, which includes Johns Hopkins professor and cryptographer Matthew Green, will have the money to fund an audit of OpenSSL, as well. OpenSSL took a major hit earlier this year with the revelation of the Heartbleed vulnerability, which sent the Internet into a panic, as the software runs on more than 60 percent of SSL-protected sites."

Why bother?

The whole security model is broken. How many CAs does your browser come with these days? Do you even know? How do you know they haven't already turned over their CA signing keys to 7 different governments?

There's no way to "fix" openssl. The entire thing is predicated on a false premise.

Re:Why bother?

[Imagix]

Yet again, another person who can't distinguish between the technology and a particular application of that technology. What you're complaining about has nothing to do with the implementation of OpenSSL (which is what this article is about), but has to do with the application of OpenSSL. OpenSSL is doing it's job by verifying the presented certificates against the list of trusted certificate authorities that you have configured. The fact that you're trusting too many people isn't a problem with OpenSSL. (It is also not OpenSSL's concern as to how you obtained your list of trusted CAs, only that you have one.)

"Audit"? Try massive rewrite.

[rbrander]

The comments from the folks who started LibreSSL at a meeting of the Calgary Unix Users Group the other night were beyond scathing. Bob Beck's first slide shows Laura Dern in Jurassic Park, up to her elbows in stegasaurus dung, as a metaphor for what the first skim of the code felt like. It's a hopelessly overpatched mess of spaghetti code and #IFNDEF mazes that nobody can really maintain. Their fork has already tossed out tens of thousands of lines of code and started again. (Another slide shows the line from Aliens: "Nuke it from orbit. It's the only way to be sure").

If not a from-scratch rewrite, think of a home reno where you have to strip it to the frame and put up new drywalls.
And this situation was allowed to grow by the current bunch that manage OpenSSL; they're only doing this at all because one of the hundreds of time-bombs in the code finally went off, and anybody who's looked it knows how many hundreds more there are. For shame.

There's a link to the slides from the libressl.org site, which is very minimal, as they say "We're too busy deleting code to make web pages".

It was just a very sobering presentation. To think we let so much depend on a pile of cruft.

wrong direction.

[nimbius]

http://www.libressl.org/

seriously pumping openssl full of cash at this point is like buying new deck chairs for the titanic.

Re:OpenSSL and what else.

[atomic-penguin]

The issue that I find, is that OpenSSL is the only Open Source Player out there.

But It is not the only SSL/TLS game in town. There is also GnuTLS and Network Security Services (NSS).