Every software developer, please stop using OpenSSL. It was crap then, it is crap now and it will be crap tomorrow. And LibreSSL is not the solution. You can't turn crap into something nice. You want a decent SSL library, try mbed TLS. Unlike OpenSSL, this library has good documentation (example programs included), has a logical and sane API (no ugly callback shit) and its code is clean and secure.
I switched from OpenSSL to mbed TLS (named PolarSSL back then) in my open source project some time ago. I should have done it more early! The migration was easy and only cost me a few days. So, stop punishing yourself and give mbed TLS a try. You won't regret it!!
Disclaimer:
No, I'm in no way connected to mbed TLS. Just a happy mbed TLS user who doesn't understand why people keep on torturing themselves and their users.
Citizen of the Netherlands here. That's fine. Te rest of the EU does no longer want to suffer for your incompetence to pay your taxes. And you still owe each one of us â 1100+. We still want that back.
In that case, you better try mbed TLS (former PolarSSL). Has been tested and audited more times than this untested new comer. And it has full support for everything that is needed. mbed TLS makes every new attempt to implement an SSL / TLS library obsolete immediately.
Agree. It's better to build something rock solid which supports only 80% of all use cases than to end up with something big and bloated that handles every thinkable use case. Yes, the ultimate thing is to have something rock solid that supports everything, but that's an utopia.
I can advice every software developer to take a look at mbed TLS (former PolarSSL). It has everything a modern SSL-enabled application needs. It's API is easier that OpenSSL's, it has very good documentation (example programs included) and last but not least: it's secure!
No, I'm not the mbed TLS developer or in any way connected or related to mbed TLS. I'm just a very happy developer who replaced OpenSSL with mbed TLS in my project many years ago and never had any reason to look back. Even the users of my project are very happy with it. Good riddance!!
I know that once I upgrade, I will always be able to use it. But what I meant was: can I download the upgrade and obtain a license now and use it later?
The upgrade will be free for one year after the release. But what after that year? What will it cost? Can I download the upgrade and use it later (after one year) and than still use it for free?
I knew you would come up with these articles. Those troll articles are filles with incorrect claims, things that are not PHP specific and outdated stuff. You only believe those stories because you want to believe them. Please, grow up.
As you can see, pointless flaming can be done about anything. If you want to critcize PHP, come up with some proper and valid arguments. Otherwise, you're nothing more than a loudmouth fanboy. I have several PHP websites running for many years, without a single hack, without a any significant downtime (besides server maintaince) and with proper speed. PHP is just a tool, it's the developer that makes it a good or bad website.
No, most people want to run a simple PHP website (Wordpress, Drupal, etc). But since almost every modern CMS and framework require at least a simple form of URL rewriting (rewrite every request for a non-existig file to/index.php), OpenBSD's httpd is a no-go.
I understand they replaced nginx with something different. But why a half-finished webserver that doesn't even support things like URL rewriting. For those who seek a secure webserver, but with features to properly support the modern website/framework/CMS, try the Hiawatha webserver.
I'm talking about the Banshee PHP framework. I'm open to feedback. But when I get the usual vague claims about issues without any proof or pointless flaming about how it's not anything like Wordpress, then I'm out.
The issue described in this topic (cross-site scripting) is very old (about 15 years in this case). But so is its solution. The same goes for all other security issues. There is no reason and therefor no excuse to have such or any other known vulnerability in your website today. Specially because the solutions are very easy. Security is no rocket science!
The majority of all hack attempts are for SQL injection, cross-site scripting, cross-site request forgery, remote file inclusion, directory traversal, etc. You can look them up, there are even many websites dedicated to them (owasp.org for example). There is, I say it again, no excuse to not know about these vulnerabilities and to have one of them in your website.
The only web developers who still have such security bugs in their software are 1) lazy 2) incompetent 3) not interested in security or 4) have been asleep for 15 years. For whatever the reason is, it's not wise to use their software!/p.
I don't think you arguments are valid. There is much more between a free Wordpress website and a custom coded CMS + all the extra's. You know this. And sure you can setup a website in 20 minutes for free. But if that's the price you want to pay, than that's the quality you get. And btw, I also can setup a website within 20 minutes for free, but with a CMS that even the most skilled hacker will have a hard time with to hack.
And before you come up with "but my Wordpress websites also have never been hacked", I meant: hack-free without any update or me having to worry about its security.
Sorry, I'm not going to tell. Because everytime I did, the discussion ended in a useless flamewar with people coming up with all sorts of nonsense arguments that had nothing to do with security, just to criticize my framework. The framework I use is not 100% perfect. And of course it also can't be, because things like user-friendliness and shininess are very personal / subjective. But its security is good and I have years of hack-free websites to proof that. And several of those receive many daily attacks, because of the ICT-security-related content of the website.
My only point is: try to give security a higher priority and do some research before using a framework. There are many CMS'es out there which my not be as shiny as Wordpress but are more than good enough and have a better security than Wordpress.
A not-so-shiny CMS doesn't mean that the website you create with it can't be shiny. Those are two separate things. Of course, the actual website must be shiny, but the CMS should be (if you ask me) secure and trustworthy.
And still we keep on using Wordpress. When will people start looking beyond a nice and shiny interface and put quality (which includes security) at the top of their priority list. When you made the first selection with that criterion, you can look for the most fancy interface. And don't give me the excuse of 'but my web editors have to be able to use it'. Bullshit, lame excuse. Fire them and hire more competent personnel or send them to a proper training.
And when the first plane crashes due to a bug in the pilot software, we all start wondering again if removing the pilot was a wise decision.
This whole Germanwings plane crash shows, again, one important thing: people suck at dealing with risks. Several hundred thousands of flights went well. The last incident with a pilot causing a plane to crash was back in 1995. The Germanwings plane crash was an incident. We must learn to treat it that way, as an incident. No reason to panic and start changing policies, rules and procedures. With every change, new risks and new ways of things to go wrong will be introduced. When that happens and you again make changes, you end up in a loop of changing things. The result: the changes will cost a lot of time, energy and money while the risks are not reduced.
We need to start accepting that risks are part of our life. Unacceptable risks need to be dealt with, but more important: acceptable risks should be accepted, even when they occur!!!!
Slashdot Mirror
Every software developer, please stop using OpenSSL. It was crap then, it is crap now and it will be crap tomorrow. And LibreSSL is not the solution. You can't turn crap into something nice. You want a decent SSL library, try mbed TLS. Unlike OpenSSL, this library has good documentation (example programs included), has a logical and sane API (no ugly callback shit) and its code is clean and secure.
I switched from OpenSSL to mbed TLS (named PolarSSL back then) in my open source project some time ago. I should have done it more early! The migration was easy and only cost me a few days. So, stop punishing yourself and give mbed TLS a try. You won't regret it!!
Disclaimer:
No, I'm in no way connected to mbed TLS. Just a happy mbed TLS user who doesn't understand why people keep on torturing themselves and their users.
Citizen of the Netherlands here. That's fine. Te rest of the EU does no longer want to suffer for your incompetence to pay your taxes. And you still owe each one of us â 1100+. We still want that back.
The EU has een cruel?? Excuse me? Their crisis is completely their own fault. In stead of pointing fingers, the Greek people must start paying taxes.
In that case, you better try mbed TLS (former PolarSSL). Has been tested and audited more times than this untested new comer. And it has full support for everything that is needed. mbed TLS makes every new attempt to implement an SSL / TLS library obsolete immediately.
Agree. It's better to build something rock solid which supports only 80% of all use cases than to end up with something big and bloated that handles every thinkable use case. Yes, the ultimate thing is to have something rock solid that supports everything, but that's an utopia.
Good, then start debugging. Because I got compile errors on both Linux and MacOS X.
I can advice every software developer to take a look at mbed TLS (former PolarSSL). It has everything a modern SSL-enabled application needs. It's API is easier that OpenSSL's, it has very good documentation (example programs included) and last but not least: it's secure!
No, I'm not the mbed TLS developer or in any way connected or related to mbed TLS. I'm just a very happy developer who replaced OpenSSL with mbed TLS in my project many years ago and never had any reason to look back. Even the users of my project are very happy with it. Good riddance!!
I know, that was not the question. But how much will it cost?
I know that once I upgrade, I will always be able to use it. But what I meant was: can I download the upgrade and obtain a license now and use it later?
The upgrade will be free for one year after the release. But what after that year? What will it cost? Can I download the upgrade and use it later (after one year) and than still use it for free?
Systemd, yuck, no thanks. It seriously makes me consider moving to FreeBSD.
I knew you would come up with these articles. Those troll articles are filles with incorrect claims, things that are not PHP specific and outdated stuff. You only believe those stories because you want to believe them. Please, grow up.
Seriously, man: OpenBSD? Really?
As you can see, pointless flaming can be done about anything. If you want to critcize PHP, come up with some proper and valid arguments. Otherwise, you're nothing more than a loudmouth fanboy. I have several PHP websites running for many years, without a single hack, without a any significant downtime (besides server maintaince) and with proper speed. PHP is just a tool, it's the developer that makes it a good or bad website.
And there you have the reason why almost nobody uses OpenBSD.
No, most people want to run a simple PHP website (Wordpress, Drupal, etc). But since almost every modern CMS and framework require at least a simple form of URL rewriting (rewrite every request for a non-existig file to /index.php), OpenBSD's httpd is a no-go.
I understand they replaced nginx with something different. But why a half-finished webserver that doesn't even support things like URL rewriting. For those who seek a secure webserver, but with features to properly support the modern website/framework/CMS, try the Hiawatha webserver.
I'm talking about the Banshee PHP framework. I'm open to feedback. But when I get the usual vague claims about issues without any proof or pointless flaming about how it's not anything like Wordpress, then I'm out.
The issue described in this topic (cross-site scripting) is very old (about 15 years in this case). But so is its solution. The same goes for all other security issues. There is no reason and therefor no excuse to have such or any other known vulnerability in your website today. Specially because the solutions are very easy. Security is no rocket science!
The majority of all hack attempts are for SQL injection, cross-site scripting, cross-site request forgery, remote file inclusion, directory traversal, etc. You can look them up, there are even many websites dedicated to them (owasp.org for example). There is, I say it again, no excuse to not know about these vulnerabilities and to have one of them in your website.
The only web developers who still have such security bugs in their software are 1) lazy 2) incompetent 3) not interested in security or 4) have been asleep for 15 years. For whatever the reason is, it's not wise to use their software!/p.
I don't think you arguments are valid. There is much more between a free Wordpress website and a custom coded CMS + all the extra's. You know this. And sure you can setup a website in 20 minutes for free. But if that's the price you want to pay, than that's the quality you get. And btw, I also can setup a website within 20 minutes for free, but with a CMS that even the most skilled hacker will have a hard time with to hack.
And before you come up with "but my Wordpress websites also have never been hacked", I meant: hack-free without any update or me having to worry about its security.
Sorry, I'm not going to tell. Because everytime I did, the discussion ended in a useless flamewar with people coming up with all sorts of nonsense arguments that had nothing to do with security, just to criticize my framework. The framework I use is not 100% perfect. And of course it also can't be, because things like user-friendliness and shininess are very personal / subjective. But its security is good and I have years of hack-free websites to proof that. And several of those receive many daily attacks, because of the ICT-security-related content of the website.
My only point is: try to give security a higher priority and do some research before using a framework. There are many CMS'es out there which my not be as shiny as Wordpress but are more than good enough and have a better security than Wordpress.
A not-so-shiny CMS doesn't mean that the website you create with it can't be shiny. Those are two separate things. Of course, the actual website must be shiny, but the CMS should be (if you ask me) secure and trustworthy.
So, that left your website vulnerable for a few hours... again!
And being a prime target wouldn't be a problem if it had proper security...
And still we keep on using Wordpress. When will people start looking beyond a nice and shiny interface and put quality (which includes security) at the top of their priority list. When you made the first selection with that criterion, you can look for the most fancy interface. And don't give me the excuse of 'but my web editors have to be able to use it'. Bullshit, lame excuse. Fire them and hire more competent personnel or send them to a proper training.
And when the first plane crashes due to a bug in the pilot software, we all start wondering again if removing the pilot was a wise decision.
This whole Germanwings plane crash shows, again, one important thing: people suck at dealing with risks. Several hundred thousands of flights went well. The last incident with a pilot causing a plane to crash was back in 1995. The Germanwings plane crash was an incident. We must learn to treat it that way, as an incident. No reason to panic and start changing policies, rules and procedures. With every change, new risks and new ways of things to go wrong will be introduced. When that happens and you again make changes, you end up in a loop of changing things. The result: the changes will cost a lot of time, energy and money while the risks are not reduced.
We need to start accepting that risks are part of our life. Unacceptable risks need to be dealt with, but more important: acceptable risks should be accepted, even when they occur!!!!