Slashdot Mirror


Once a Forgotten Child, OpenSSL's Future Now Looks Bright

Trailrunner7 writes: Rarely does anything have a defined turning point in its history, a single day where people can point and say that was the day everything changed. For OpenSSL, that day was April 7, 2014, the day that Heartbleed became part of the security lexicon. Heartbleed was a critical vulnerability in the venerable crypto library. OpenSSL is everywhere, in tens of thousands of commercial and homespun software projects. And so too, as of last April, was Heartbleed, an Internet-wide bug that leaked enough memory that a determined hacker could piece together anything from credentials to encryption keys.

"Two years ago, it was a night-and-day difference. Two years ago, aside from our loyal user community, we were invisible. No one knew we existed," says Steve Marquess, cofounder, president and business manager of the OpenSSL Foundation, the corporate entity that handles commercial contracting for OpenSSL. "OpenSSL is used everywhere: hundreds, thousands of vendors use it; every smartphone uses it. Everyone took that for granted; most companies have no clue they even used it." To say OpenSSL has been flipped on its head—in a good way—is an understatement.

Heartbleed made the tech world realize that the status quo wasn't healthy to the security and privacy of ecommerce transactions and communication worldwide. Shortly after Heartbleed, the Core Infrastructure Initiative was created, uniting The Linux Foundation, Microsoft, Facebook, Amazon, Dell, Google and other large technology companies in funding various open source projects. OpenSSL was the first beneficiary, getting enough money to hire Dr. Steve Henson and Andy Polyakov as its first full-timers. Henson, who did not return a request to be interviewed for this article, is universally known as the one steady hand that kept OpenSSL together, an unsung hero of the project who along with other volunteers handled bug reports, code reviews and changes.

5 of 76 comments (clear)

  1. Re: Huh? What? by Anonymous Coward · · Score: 2, Insightful

    Revisionist shitstory.

    The OpenSSL declared themselves emperors of security. They declared you knew shit and could help. They declared their cloth was whole.

    These emperors were shown to wear no clothes. They weren't secure, they were pompous asses.

    All the eyes don't matter when the gate keeper sucks.

  2. Re:Paid Advertisement by Anonymous Coward · · Score: 2, Insightful

    So that's what they are using all those grants and donations for?
    To promote their shitty software and the engineers working on it?
    I really wish the money was called back and given to LibreSSL and other projects which actually deserve it.

  3. Re:Paid Advertisement by swillden · · Score: 5, Insightful

    Someone has to be shilling to post a summary like that one. The only future for OpenSSL is to be replaced over time by LibreSSL or another competitor.

    Nah. The OpenSSL codebase will get cleaned up and become trustworthy, and it'll continue to be used. The other forks, especially LibreSSL and Google's BoringSSL, will be used, too... and that's a good thing. Three fairly API-compatible but differing implementations will break up the monoculture so bugs found in one of them (and they *will* have bugs) hopefully won't hit all three of them.

    It's tempting to see such apparent duplication of effort as wasteful, but it's really not. Diversity is good and competition is good.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  4. Money given to the people that screwed up... by QuietLagoon · · Score: 3, Insightful
    So let's see... from what I've read the OpenSSL project was a mess, poorly managed, with bad code and a very lax attitude towards fixing bugs that were reported.

    .
    So how was the problem with OpenSSL solved?

    Well, the same people, with their same ideas, who could not run a successful project in the past were given large amounts of money to run the project in the future. The summary for this thread reads more like a self-congratulatory press release from the OpenSSL people, rubbing in our faces that they managed to get money to continue their poor project management.

  5. Re:Paid Advertisement by swillden · · Score: 4, Insightful

    The OpenSSL codebase will get cleaned up and become trustworthy, and it'll continue to be used

    Cleanup up and trustworthy? Unlikely. The wrong people are still in charge for that to happen.

    Nonsense. The people running the OpenSSL project are competent and dedicated. OpenSSL's problem was lack of resources. It was a side project with occasional funding to implement specific new features, and the funders of new features weren't interested in paying extra to have their features properly integrated and tested. That's not a recipe for great success with something that really needs a full-time team.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.