SoylentNews is people
SoylentNews
Bob Beck who is an OpenBSD, OpenSSH, and LibreSSL developer as well as the director of Alberta-based non-profit OpenBSD Foundation gave a talk earlier today at BSDCan 2014 in Ottawa, discussing and illustrating the OpenSSL problems that have led to the creation of a big fork of OpenSSL that is still API-compatible with the original, providing a drop-in replacement, without the #ifdef spaghetti and without its own "OpenSSL C" dialect.
Bob is claiming that the Maryland-incorporated OpenSSL Foundation is nothing but a for-profit front for FIPS consulting gigs, and that noone at OpenSSL is actually interested in maintaining OpenSSL, but merely adding more and more features, with the existing bugs rotting in bug-tracking for a staggering 4 years (CVE-2010-5298 has been independently re-discovered by the OpenBSD team after having been quietly reported in OpenSSL's RT some 4 years prior).
Bob reports that the bug-tracking system abandoned by OpenSSL has actually been very useful to the OpenBSD developers at finding and fixing even more of OpenSSL bugs in downstream LibreSSL, which still remain unfixed in upstream OpenSSL.
It is revealed that a lot of crude cleaning has already been completed, and the process is still ongoing, but some new ciphers already saw their addition to LibreSSL RFC 5639 EC Brainpool, ChaCha20, Poly1305, FRP256v1, and some derivatives based on the above, like ChaCha20-Poly1305 AEAD EVP from Adam Langley's Chromium OpenSSL patchset.
To conclude, Bob warns against portable LibreSSL knockoffs, and asks the community for Funding Commitment -- the Linux Foundation is turning a blind eye to LibreSSL, and instead is only committed to funding OpenSSL directly, despite the apparent lack of security-oriented direction within the OpenSSL project upstream. Funding can be directed to the OpenBSD Foundation.
(Score: 2, Interesting) by Anonymous Coward on Sunday May 18 2014, @06:35AM
going through the slides, it seems to be a lost cause to give any further cent to the OpenSSL team. They're obviously quite incompetent.
Can the Linux foundation divert money to LibreSSL?
(Score: 0) by Anonymous Coward on Sunday May 18 2014, @07:40AM
The Linux foundation has sadly made a commitment to the wrong team already http://www.linuxfoundation.org/news-media/announce ments/2014/04/amazon-web-services-cisco-dell-faceb ook-fujitsu-google-ibm-intel [linuxfoundation.org]
I doubt they would support two competing libraries especially if one is maintained by the *BSD people
(Score: 0) by Anonymous Coward on Sunday May 18 2014, @09:31AM
There is no money to be diverted by funding a competent team releasing quality code. Who is going to feed the hordes of Linux consultants?
(Score: 5, Informative) by mth on Sunday May 18 2014, @10:51AM
(Score: 2) by pe1rxq on Sunday May 18 2014, @11:36AM
It would be a bit more fair to give the OpenSSL team a chance to respond before labeling them incompetent. Right now you only have the presentation of the LibreSSL team which has a clear conflict of interests..
Do they really only want to be paid for new features instead of doing maintenance? Or was there simply nobody who wanted to pay for maintenance?
Personally I think it is a good thing to have multiple implementations, but LibreSSL has not yet proven to me that they are much better. They are getting the low hanging fruit right now, but ripping out and changeing huge amounts of code in a very short time sounds dangerous. They are bound to introduce atleast a few new bugs by their actions.
I'll wait little bit before calling their version the better one.
(Score: 0) by Anonymous Coward on Sunday May 18 2014, @12:34PM
It doesn't need a response really. We can all look at the OpenSSL code and their bug tracker right now. If there is a 4 year old problem on the tracker that they haven't bothered to deal with, they're clearly bad at what they do, or they don't do their job at all.
Now the fork has fixes from the bugtracker that the original project never bothered to fix, f*cking unbelievable for a project this sensitive.
(Score: 3, Informative) by omoc on Sunday May 18 2014, @01:02PM
Did you see the presentation? https://www.youtube.com/watch?v=GnBbhXBDmwU [youtube.com]
The entropy mess alone shows that the OpenSSL people cannot be trusted with crypto stuff.
(Score: 2) by pe1rxq on Sunday May 18 2014, @01:57PM
Did you really have a good look at the presentation?
Just do a quick calculation on how many thousands of lines of code they removed every day on average! There is no way they read and fully understood every one of them.
LibreSSL might end up being the best crypto library ever. But right now I am supposed to think they are great because 'we can make the other guys look stupid'.
(Score: 0) by Anonymous Coward on Sunday May 18 2014, @02:18PM
reading the commit log, the other guys really asked for it
When it comes to security, I trust the OpenBSD team a whole lot more than everyone else. They're good at it and they do it for free and ask for donations later. OpenSSL may be called a foundation but it's a for-profit consultant company that obviously didn't even care about fixes people submitted to their bugtracker. You're not supposed to think anything, just look at the evidence and draw a conclusion.
(Score: 2) by pe1rxq on Sunday May 18 2014, @09:59PM
The OpenBSD team indeed has a great reputation with respect to security.
Unfortunatly they also have a bad reputation of trash talking with Theo being the posterboy of anti-social behavior.