LibreSSL forked OpenSSL 1.0.1. Therefore LibreSSL would never have been vulnerable to issues that did not affect 1.0.1 - since those arose after the codebases split. A fairer comparison would be to compare issues that affected OpenSSL 1.0.1 with LibreSSL. You also should not include CVE-2015-0204 since that is just a reclassification of a previously fixed defect. Simillarly CVE-2015-0292 was a historic issue not in recent versions of OpenSSL so also should not be included. By the time you remove all of those you get down to one issue that affected OpenSSL but not LibreSSL:
DoS via reachable assert in SSLv2 servers (CVE-2015-0293) - Severity: Moderate
This issue also did not affect the current development version of OpenSSL only historic versions due to clean ups the OpenSSL team have been doing.
First of full disclosure...I am a member of the OpenSSL development team.
I've read a lot of anti-OpenSSL comments here along with some fairly amusing conspiracy theories! Some criticism is fair but much is not in my view.
OpenSSL is a very different project to what it was a year ago. This time last year the development team was very small (6 people...not all of whom were active coders, most of whom were doing it in their spare time). Supporting the project was (and still is) a thankless task, and they did their best - but frankly the resources were not there to do the job properly. There is now a whole new team, built upon the original, running the project. We have gone from 6 people to 15 and brought on board a number of full timers. I know most of that team personally, and I can tell you that you couldn't hope to find a more dedicated and experienced team. There is a strong sense of responsibility, along with lots of plans in place for how to make things better.
A lot is said about the problems with OpenSSL. Let me tell you about some of its strengths. The library will run on practically anything from desktops, to high end servers, to embedded devices, to mainframes, to mobile phones. It is highly optimised and is *fast*. We are lucky enough to have Andy Polyakov on the team who brings an exceptional talent in performing those optimisations. Due to its position in the market place OpenSSL is probably the most studied security software product out there. That study has intensified since Heartbleed. During the last year there have been a number of security issues identified and fixed as a result of that intensified study. This is a *good* news story.
I am really excited about what the future holds for the project. We are busy working on 1.1.0, which brings with it a focus on reducing complexity. Improved documentation (which I've seen mentioned a number of times on this page) is also on our roadmap. I'm not complacent...I know there is a lot still to do...but I have a huge amount of confidence in the team that is now in place.
If you are using OpenSSL as a client then you are vulnerable. On the server side the bug is till there but there is no known way of exploiting it prior to 1.0.1. You are still recommended to upgrade - but ubuntu will provide the relevant fixes.
My son has used this book, and I can thoroughly recommend it. It leads the kid through programming by getting them to write various games in python - increasing in complexity throughout. When I was kid learning to program, writing games is what I first wanted to do. The book gets the tone just right, and I think my son has enjoyed working with it.
One of the biggest problems with offshore electricity generation is how you hook the power you generate back into the grid. Obviously there has to be some kind of cable going from where you are generating back into some form of onshore infrastructure to distribute the electricity to where it needs to be to be useful.
In my view the Chinese censorship is ultimately doomed to failure. The internet is so dynamic that there will always be "sensitive" content that slips through the net. Also it is fundamental human nature to be curious. If you see a big red button labelled "do not press" - your immediate thoughts are "I wonder what would happen if I did?". Similarly if you censor content the natural reaction is "I wonder what I am not being told?". With that curiousity added to human ingenuity, it means that people will always find ways around the censors. Sooner or later the Chinese will realise this and censorship will end.
The website says "...supports operating system mapping between any two Unix/Linux-like operating systems, as well as mapping between mainframe and any Unix/Linux-like operating systems...". This would suggest that there is no mapping between windows and unix...
Well if you wish you can set up an SSL server, create your keys; and then sign your own certificate, i.e. "Signed by John Doe Certificate Authority". The server will work perfectly well and the browsers can talk perfectly happily with it. The only problem is when you access the site you will get some dialog boxes popping up telling you that the site is untrusted. Modern browsers will let you set up an encrypted session with a server that they don't trust - but they will tell you what they're doing first.
In my view S/MIME is a superior protocol for encrypting email than PGP. It is supported by the major mail clients (e.g. Netscape's Messenger), and I believe is easier to use. Its main disadvantage is that its support among "free" mail clients appears to be non-existent...
Hmm.... I'm very skeptical of this. I certainly wouldn't trust any new encryption algorithm until it has been hammered at for a good few years by some cryptanalysis experts. Some pretty intelligent people have proposed new algorithms over the years only to have them exposed as totally vulnerable shortly afterwards.
Slashdot Mirror
This is not a fair comparison.
LibreSSL forked OpenSSL 1.0.1. Therefore LibreSSL would never have been vulnerable to issues that did not affect 1.0.1 - since those arose after the codebases split. A fairer comparison would be to compare issues that affected OpenSSL 1.0.1 with LibreSSL. You also should not include CVE-2015-0204 since that is just a reclassification of a previously fixed defect. Simillarly CVE-2015-0292 was a historic issue not in recent versions of OpenSSL so also should not be included. By the time you remove all of those you get down to one issue that affected OpenSSL but not LibreSSL:
DoS via reachable assert in SSLv2 servers (CVE-2015-0293) - Severity: Moderate
This issue also did not affect the current development version of OpenSSL only historic versions due to clean ups the OpenSSL team have been doing.
First of full disclosure...I am a member of the OpenSSL development team.
I've read a lot of anti-OpenSSL comments here along with some fairly amusing conspiracy theories! Some criticism is fair but much is not in my view.
OpenSSL is a very different project to what it was a year ago. This time last year the development team was very small (6 people...not all of whom were active coders, most of whom were doing it in their spare time). Supporting the project was (and still is) a thankless task, and they did their best - but frankly the resources were not there to do the job properly. There is now a whole new team, built upon the original, running the project. We have gone from 6 people to 15 and brought on board a number of full timers. I know most of that team personally, and I can tell you that you couldn't hope to find a more dedicated and experienced team. There is a strong sense of responsibility, along with lots of plans in place for how to make things better.
A lot is said about the problems with OpenSSL. Let me tell you about some of its strengths. The library will run on practically anything from desktops, to high end servers, to embedded devices, to mainframes, to mobile phones. It is highly optimised and is *fast*. We are lucky enough to have Andy Polyakov on the team who brings an exceptional talent in performing those optimisations. Due to its position in the market place OpenSSL is probably the most studied security software product out there. That study has intensified since Heartbleed. During the last year there have been a number of security issues identified and fixed as a result of that intensified study. This is a *good* news story.
I am really excited about what the future holds for the project. We are busy working on 1.1.0, which brings with it a focus on reducing complexity. Improved documentation (which I've seen mentioned a number of times on this page) is also on our roadmap. I'm not complacent...I know there is a lot still to do...but I have a huge amount of confidence in the team that is now in place.
If you are using OpenSSL as a client then you are vulnerable. On the server side the bug is till there but there is no known way of exploiting it prior to 1.0.1. You are still recommended to upgrade - but ubuntu will provide the relevant fixes.
My son has used this book, and I can thoroughly recommend it. It leads the kid through programming by getting them to write various games in python - increasing in complexity throughout. When I was kid learning to program, writing games is what I first wanted to do. The book gets the tone just right, and I think my son has enjoyed working with it.
Goodbye Anne. RIP.
One of the biggest problems with offshore electricity generation is how you hook the power you generate back into the grid. Obviously there has to be some kind of cable going from where you are generating back into some form of onshore infrastructure to distribute the electricity to where it needs to be to be useful.
This may not be so great. This recent story http://news.bbc.co.uk/1/hi/health/4838086.stm/ casts doubts on the benefits of omega-3.
In my view the Chinese censorship is ultimately doomed to failure. The internet is so dynamic that there will always be "sensitive" content that slips through the net. Also it is fundamental human nature to be curious. If you see a big red button labelled "do not press" - your immediate thoughts are "I wonder what would happen if I did?". Similarly if you censor content the natural reaction is "I wonder what I am not being told?". With that curiousity added to human ingenuity, it means that people will always find ways around the censors. Sooner or later the Chinese will realise this and censorship will end.
Actually it is only compulsory when applying for a passport. It will not be compulsory otherwise.
The website says "...supports operating system mapping between any two Unix/Linux-like operating systems, as well as mapping between mainframe and any Unix/Linux-like operating systems...". This would suggest that there is no mapping between windows and unix...
Well if you wish you can set up an SSL server, create your keys; and then sign your own certificate, i.e. "Signed by John Doe Certificate Authority". The server will work perfectly well and the browsers can talk perfectly happily with it. The only problem is when you access the site you will get some dialog boxes popping up telling you that the site is untrusted. Modern browsers will let you set up an encrypted session with a server that they don't trust - but they will tell you what they're doing first.
In my view S/MIME is a superior protocol for encrypting email than PGP. It is supported by the major mail clients (e.g. Netscape's Messenger), and I believe is easier to use. Its main disadvantage is that its support among "free" mail clients appears to be non-existent...
Hmm.... I'm very skeptical of this. I certainly wouldn't trust any new encryption algorithm until it has been hammered at for a good few years by some cryptanalysis experts. Some pretty intelligent people have proposed new algorithms over the years only to have them exposed as totally vulnerable shortly afterwards.
In short - don't trust it (yet).