Once a Forgotten Child, OpenSSL's Future Now Looks Bright

Trailrunner7 writes: Rarely does anything have a defined turning point in its history, a single day where people can point and say that was the day everything changed. For OpenSSL, that day was April 7, 2014, the day that Heartbleed became part of the security lexicon. Heartbleed was a critical vulnerability in the venerable crypto library. OpenSSL is everywhere, in tens of thousands of commercial and homespun software projects. And so too, as of last April, was Heartbleed, an Internet-wide bug that leaked enough memory that a determined hacker could piece together anything from credentials to encryption keys.

"Two years ago, it was a night-and-day difference. Two years ago, aside from our loyal user community, we were invisible. No one knew we existed," says Steve Marquess, cofounder, president and business manager of the OpenSSL Foundation, the corporate entity that handles commercial contracting for OpenSSL. "OpenSSL is used everywhere: hundreds, thousands of vendors use it; every smartphone uses it. Everyone took that for granted; most companies have no clue they even used it." To say OpenSSL has been flipped on its head—in a good way—is an understatement.

Heartbleed made the tech world realize that the status quo wasn't healthy to the security and privacy of ecommerce transactions and communication worldwide. Shortly after Heartbleed, the Core Infrastructure Initiative was created, uniting The Linux Foundation, Microsoft, Facebook, Amazon, Dell, Google and other large technology companies in funding various open source projects. OpenSSL was the first beneficiary, getting enough money to hire Dr. Steve Henson and Andy Polyakov as its first full-timers. Henson, who did not return a request to be interviewed for this article, is universally known as the one steady hand that kept OpenSSL together, an unsung hero of the project who along with other volunteers handled bug reports, code reviews and changes.

Re: Huh? What?

Revisionist shitstory.

The OpenSSL declared themselves emperors of security. They declared you knew shit and could help. They declared their cloth was whole.

These emperors were shown to wear no clothes. They weren't secure, they were pompous asses.

All the eyes don't matter when the gate keeper sucks.

Re:Paid Advertisement

So that's what they are using all those grants and donations for?
To promote their shitty software and the engineers working on it?
I really wish the money was called back and given to LibreSSL and other projects which actually deserve it.

Re:Paid Advertisement

[swillden]

Someone has to be shilling to post a summary like that one. The only future for OpenSSL is to be replaced over time by LibreSSL or another competitor.

Nah. The OpenSSL codebase will get cleaned up and become trustworthy, and it'll continue to be used. The other forks, especially LibreSSL and Google's BoringSSL, will be used, too... and that's a good thing. Three fairly API-compatible but differing implementations will break up the monoculture so bugs found in one of them (and they *will* have bugs) hopefully won't hit all three of them.

It's tempting to see such apparent duplication of effort as wasteful, but it's really not. Diversity is good and competition is good.

Money given to the people that screwed up...

[QuietLagoon]

So let's see... from what I've read the OpenSSL project was a mess, poorly managed, with bad code and a very lax attitude towards fixing bugs that were reported.

.
So how was the problem with OpenSSL solved?

Well, the same people, with their same ideas, who could not run a successful project in the past were given large amounts of money to run the project in the future. The summary for this thread reads more like a self-congratulatory press release from the OpenSSL people, rubbing in our faces that they managed to get money to continue their poor project management.

Re:Paid Advertisement

[swillden]

The OpenSSL codebase will get cleaned up and become trustworthy, and it'll continue to be used

Cleanup up and trustworthy? Unlikely. The wrong people are still in charge for that to happen.

Nonsense. The people running the OpenSSL project are competent and dedicated. OpenSSL's problem was lack of resources. It was a side project with occasional funding to implement specific new features, and the funders of new features weren't interested in paying extra to have their features properly integrated and tested. That's not a recipe for great success with something that really needs a full-time team.

Re:Paid Advertisement

[hairyfeet]

If there is but one thing everyone should have learned from Heartbleed and Shellshock it is this....many eyes is a myth based on an "is ought" fallacy.

OpenSSL and Bash are the two most widely deployed pieces of code on the planet, bar none. If "many eyes" were true that fact SHOULD have made them the most vetted code on the planet....but they weren't, why? Because "many eyes" is an "is ought" fallacy in that because the source code IS there and it IS in wide use there OUGHT to have been at least one or more people with the years of training in low level code auditing that should have looked at the code and found the bugs and reported them.....this ignores the facts, which are 1.- The guys that can do low level auditing are very few, 2.- They are usually swamped with jobs that pay them, and most importantly 3.- Everyone is gonna ignore the code because they'll believe somebody else did it thanks to the "many eyes" myth.

This is why "many eyes" should be considered a harmful myth to allow to spread, since everybody just assumes somebody else has done the work when in reality? I bet if you looked at the number of downloads of the source for the low level code in your average Linux distro you'll find that nobody other than the guys that are actually working on the code have downloaded it. So let us all put the "many eyes" myth to bed, and then maybe everyone won't just assume the work has been done and actually start looking at the code!