ebrke Posted April 24, 2014 Share Posted April 24, 2014 Changes at OpenSSL project: http://www.theguardian.com/technology/2014/apr/23/heartbleed-developers-libressl-openssl-security-software Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted April 24, 2014 Share Posted April 24, 2014 I saw the title to this thread and my first thought was, "Well, it's already forked, actually." Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted April 24, 2014 Share Posted April 24, 2014 Gads! They could have thought of a more original name. LibreSSL? I would have preferred something like "BypassSSL" or "StintSSL" or maybe "PacemakerSSL." Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted April 24, 2014 Share Posted April 24, 2014 LibreSSL works fine. In the vein of LibreOffice. Interesting way to get donations LOL! LibreSSL has launched with a deliberately bare-bones website, written in comic sans and using blinking text for the "coming soon" sign. Philanthropists can donate "to stop the comic sans", which is "scientifically designed to annoy web hipsters". Actually, I would love to see OpenSSL have more clarity and encourage more developers/eyes. BTW: I don't mind the Comic SANS. Quote Link to comment Share on other sites More sharing options...
ross549 Posted April 24, 2014 Share Posted April 24, 2014 From what I've heard, there's been a LOT of code stripped out of libreSSL since the forking. I wonder how many bugs are being introduced in this process? Adam Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted April 24, 2014 Share Posted April 24, 2014 Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted April 24, 2014 Share Posted April 24, 2014 OpenSSL code beyond repair, claims creator of “LibreSSL” fork - arstechnica OpenBSD developers "removed half of the OpenSSL source tree in a week. ... OpenBSD founder Theo de Raadt has created a fork of OpenSSL, the widely used open source cryptographic software library that contained the notorious Heartbleed security vulnerability. OpenSSL has suffered from a lack of funding and code contributions despite being used in websites and products by many of the world's biggest and richest corporations. The decision to fork OpenSSL is bound to be controversial given that OpenSSL powers hundreds of thousands of Web servers. When asked why he wanted to start over instead of helping to make OpenSSL better, de Raadt said the existing code is too much of a mess. Theo de Raadt - Wikipedia Theo de Raadt is a software engineer who lives in Calgary, Alberta, Canada. He is the founder and leader of the OpenBSD and OpenSSH projects, and was a founding member of the NetBSD project. I would say he knows a bit about security. If he says the code needed to go so it could be rebuilt, I would tend to believe he knows what he is doing. I would tend to be more concerned about the OpenSSL code that is still being used. I look forward to the code that Theo de Raadt and his new crew of developers come up with, personally. Quote Link to comment Share on other sites More sharing options...
ross549 Posted April 24, 2014 Share Posted April 24, 2014 This really strikes me as knee-jerk opportunism. Yes, OpenSSL has issues. That much is very obvious. There stuff in the code that is for very specific legacy applications. There's some things in it that are simply unnecessary. However, does that warrant running off with the code, and trying to reinvent the wheel? When asked what he meant by OpenSSL containing "discarded leftovers," de Raadt said there were "Thousands of lines of VMS support. Thousands of lines of ancient WIN32 support. Nowadays, Windows has POSIX-like APIs and does not need something special for sockets. Thousands of lines of FIPS support, which downgrade ciphers almost automatically." They seem to be concerned with bringing down the complexity of the code- a good thing- but will OpenSSL benefit from this? Writing open source software is hard. TrueCrypt is a project lauded for being a stable and mature project. However, there are many that want to know about how secure the code really is, so a security audit has been funded for TrueCrypt. One part of the audit is complete, and here is an excerpt from the executive summary of the audit report: Overall, the source code for both the bootloader and the Windows kernel driver did not meet expected standards for secure code. This includes issues such as lack of comments, use of inse- cure or deprecated functions, inconsistent variable types, and so forth. A more in-depth discus- sion on the quality issues identified can be found in Appendix B. From: https://opencryptoaudit.org/reports/iSec_Final_Open_Crypto_Audit_Project_TrueCrypt_Security_Assessment.pdf When you have multiple coders working on the same project in an open source environment, you have issues with code. These folks are volunteers, and they will guard their code closely because they wrote it. The project admins don't want to rock the boat too much, so they don't give these guys too hard of a time, lest they lose the talent. On top of that, coders move from the project after a period of time, and other coders must come in to replace them. How do they know/understand fully the code that's already been written? And then we have projects being forked, exacerbating the problem even more. All the above relates to quality, readability, and complexity of the code. What about security? I think forking the project was the wrong move. I suspect it boiled down to a difference of opinion. One developer wanted to lead the charge for change, but now we have to contend with a mess of code that will have to be cleaned up in stages. I think it would have been better to work within the OpenSSL project (one that has a large user base already), and get it up to snuff. Adam Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted April 24, 2014 Share Posted April 24, 2014 "Knee-jerk opportunism," hmm? Did you just make that up? If so, COOL! Quote Link to comment Share on other sites More sharing options...
ross549 Posted April 24, 2014 Share Posted April 24, 2014 I'm sure I've heard it somewhere. Adam Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted April 24, 2014 Share Posted April 24, 2014 They seem to be concerned with bringing down the complexity of the code- a good thing- but will OpenSSL benefit from this? It's open source. Of course OpenSSL can make use of it too. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.