Slashdot Mirror

← Back to Stories (view on slashdot.org)

LibreSSL Unaffected By DROWN

Posted by timothy on from the waterproof dept.

serviscope_minor writes: The OpenBSD people forked and heavily cleaned up OpenSSL to create LibreSSL due to dissatisfaction with the maintainance of OpenSSL, culminating in the heartbleed bug. The emphasis has been on cleaning up the code and improving security, which includes removing things such as SSL2 which has fundamental security flaws. As a result, LibreSSL is not affected by the DROWN bug. LibreSSL is largely compatible with OpenSSL. The main exceptions are in the cases where programs use insecure functions removed from libreSSL, or require bug compatiblity with OpenSSL.

7 of 60 comments (clear)

  1. See what happens when you rm -frv *_old.c by Anonymous Coward · · Score: 3, Insightful

    Removing old code is the best feeling in the world - it's kind of like spring cleaning!

  2. Why is this newsworthy? by Anonymous Coward · · Score: 1, Insightful

    `Why is this newsworthy? "This just in: software without a feature doesn't have vulnerability related to said feature."

    1. Re: Why is this newsworthy? by Anonymous Coward · · Score: 4, Insightful

      Removing support for an inherently broken and insecure feature is tantamount to writing better code.

  3. Re:Another Fine Reason... by Anonymous Coward · · Score: 1, Insightful

    The perpetual drive to bring Linux "to the desktop" and to compete with much more visually polished OS's such as MacOS and Windows has caused Linux devs to abandon the original project priorities and go chasing shiny things and add too much bloat, because somebody somewhere things that is what people care about. Linux shouldn't be about trying to catch up to or compete with the commercial OS, it should be about making sure it does what it is good at flawlessly and securely. Security concerns are only going to increase as we move forward and more and more of our lives and data are connected to the internet.

  4. Re:Another Fine Reason... by mlw4428 · · Score: 4, Insightful

    The team working on OpenSSL is not the same team working on Linux. This is like being upset because the Photoshop team is thin on resources so you dump Windows. It's, frankly, a stupid thing to think.

  5. Please stop by WaffleMonster · · Score: 4, Insightful

    It's 2016.. If your in any way affected by SSLv2 + export ciphers and you still feel compelled to blame it on the TLS stack - please do everyone a favor and find a new line of work.

  6. Way to miss the point! by Anonymous Coward · · Score: 3, Insightful

    You missed the point, and so did the idiots who upmodded you.

    It doesn't matter who originally wrote the code.

    What matters is that so many Linux distro maintainers included the broken OpenSSL code in their distros, which directly affected the users of these Linux distros.

    Yet the OpenBSD maintainers, who clearly care far more about security than the Linux distro maintainers do, went out of their way to clean up and secure the broken OpenSSL code, and so OpenBSD users aren't affected by this serious flaw.

    That's the point the GP was making: Linux distro maintainers will subject their users to any old shitty code. The OpenBSD maintainers, on the other hand, are far more cautious and don't put their users in the bad position that the Linux distro maintainers do.

    This incident shows that we can trust OpenBSD, and that we just can't trust most Linux distros.