Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenSSL To Undergo Massive Security Audit

Posted by timothy on from the cracking-down-on-cracking-down dept.

rjmarvin writes Now that its codebase is finally viewed as stable, OpenSSL is getting a good top-to-bottom once-over in the form of a sweeping audit. As part of the Linux Foundation's Core Infrastructure Initiative, the foundation and the Open Crypto Audit Project are sponsoring and organizing what may arguably be the highest-profile audit of a piece of open-source software in history. The audit itself will be conducted by the information assurance organization NCC Group, and its security research arm, Cryptography Services, will carry out the code review of OpenSSL's 447,247 line codebase over the next several months.

5 of 69 comments (clear)

  1. Que 1000 posts fundraising for openbsd by rahvin112 · · Score: 3, Interesting

    Better get ready for 1000 posts Fundraising for OpenBSD with the LibreSSL project.

    Just remember, every dollar you donate for LibreSSL is not guaranteed to be spent on it, it goes into the general fund for OpenBSD.

  2. Not the time... by x0ra · · Score: 4, Interesting

    Why bother with a security audit of the whole OpenSSL as-is, right here, right now, when the LibreSSL fork has been doing a lot of work removing years of unmaintained cruft (cf. http://en.wikipedia.org/wiki/L...) ? It seems to be an exercise in futility... I also wonder why get the job to a private company, which would certainly result in very bad transparency, when they could just launch a bounty program rewarding exploits & bug findings ?!?

    1. Re:Not the time... by Anonymous Coward · · Score: 1, Interesting

      Because your solution presents fewer opportunities for the NSA to get their fingers on the project and insert flaws and backdoors.

      Mod me down if you want, but that doesn't mean it's not true.

    2. Re:Not the time... by Noryungi · · Score: 3, Interesting

      LibreSSL is a great project, but they ripped out portability along the way.

      Excuse me??!! Just like OpenSSH, they release a portable version, and the official release note says:

      This release also includes a binary package for convenience integrating LibreSSL on Windows platforms, and the latest source tarball is signed with GPG and signify for easier integration into existing build systems.

      We are talking about Windows, here... Sure, if you are into Windows 3.11 and VMS, LibreSSL is less portable than OpenSSL. But seriously, who even uses these two anymore??!!

      OK, I'll grant you that LibreSSL is not a complete replacement for OpenSSL just yet. OpenBSD devs prefer working on their favourite OS, and I can't blame them. This being said, I would not be surprised if, in a couple of years, the rest of the world has switched to LibreSSL and forgotten the older version -- just take a look at OpenSSH... ;-)

      --
      The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
  3. Re:Must be designed secure - not "coded" by ezdiy · · Score: 2, Interesting

    For what it's worth, NCC is not some self-appointed security snake oils but industry behemot who actually does software assurance. They harbor a lot of auditing talent (iSEC partners from top of my head).

    Conversely, your nirvana fallacy does not hold up. OpenBSD was "designed" to be secure, just to become a laughing stock for reasons you outlined. All code without formal proof (ie all of systems code written in C) is potentially vulnerable no matter what. All you can do is throw best auditing talent at it and hope for the best.