Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenSSL To Undergo Massive Security Audit

Posted by timothy on from the cracking-down-on-cracking-down dept.

rjmarvin writes Now that its codebase is finally viewed as stable, OpenSSL is getting a good top-to-bottom once-over in the form of a sweeping audit. As part of the Linux Foundation's Core Infrastructure Initiative, the foundation and the Open Crypto Audit Project are sponsoring and organizing what may arguably be the highest-profile audit of a piece of open-source software in history. The audit itself will be conducted by the information assurance organization NCC Group, and its security research arm, Cryptography Services, will carry out the code review of OpenSSL's 447,247 line codebase over the next several months.

5 of 69 comments (clear)

  1. I'm gonna FREAK! by Anonymous Coward · · Score: 2, Insightful

    Seems a bit late... Should have started the audit soon after the Heartbleed bug was found, not 11 months later.

  2. Re:Que 1000 posts fundraising for openbsd by rubycodez · · Score: 3, Insightful

    Are you claiming the misrepresent where funding goes on the LibreSSL site?

    "LibreSSL is supported financially by the OpenBSD Foundation and the OpenBSD Project. Please consider helping our efforts.

    OpenBSD team still lightyears ahead getting the bad code out of openssl; this "audit" will not do as well as they have already done

  3. OpenSSL Valhalla Rampage blog by thatseattleguy · · Score: 4, Insightful
    Perhaps here is a good place to mention that you could learn more about real-world security auditing and code hardening by reading the LibreSSL developer's comment log here, billed as "Tearing apart OpenSSL, one arcane VMS hack at a time."

    .
    It's also one of the funniest developer-centric things I've ever read - no holds barred for these guys in their contempt of the code they're ripping to shreds. Win/win.

  4. Re:Must be designed secure - not "coded" by nightsky30 · · Score: 4, Insightful

    Couldn't the first step be libreSSL? They cleaned out a ton of junk and applied some uniform coding standards. That would be much easier to audit, and a much sounder base.

  5. Re:Must be designed secure - not "coded" by arglebargle_xiv · · Score: 5, Insightful

    Couldn't the first step be libreSSL? They cleaned out a ton of junk and applied some uniform coding standards. That would be much easier to audit, and a much sounder base. Flag as Inappropriate

    Exactly (no mod points left, sorry). Auditing OpenSSL makes about as much sense as auditing Windows 95, we already know it's broken beyond repair, and any further effort expended on it is just throwing good money after bad. Focus on something that's worth going with, like LibreSSL, or something that was never OpenSSL to begin with.