Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Sunday May 18 2014, @05:44AM   Printer-friendly
from the got-your-acronyms-here dept.

Bob Beck who is an OpenBSD, OpenSSH, and LibreSSL developer as well as the director of Alberta-based non-profit OpenBSD Foundation gave a talk earlier today at BSDCan 2014 in Ottawa, discussing and illustrating the OpenSSL problems that have led to the creation of a big fork of OpenSSL that is still API-compatible with the original, providing a drop-in replacement, without the #ifdef spaghetti and without its own "OpenSSL C" dialect.

Bob is claiming that the Maryland-incorporated OpenSSL Foundation is nothing but a for-profit front for FIPS consulting gigs, and that noone at OpenSSL is actually interested in maintaining OpenSSL, but merely adding more and more features, with the existing bugs rotting in bug-tracking for a staggering 4 years (CVE-2010-5298 has been independently re-discovered by the OpenBSD team after having been quietly reported in OpenSSL's RT some 4 years prior).

Bob reports that the bug-tracking system abandoned by OpenSSL has actually been very useful to the OpenBSD developers at finding and fixing even more of OpenSSL bugs in downstream LibreSSL, which still remain unfixed in upstream OpenSSL.

It is revealed that a lot of crude cleaning has already been completed, and the process is still ongoing, but some new ciphers already saw their addition to LibreSSL RFC 5639 EC Brainpool, ChaCha20, Poly1305, FRP256v1, and some derivatives based on the above, like ChaCha20-Poly1305 AEAD EVP from Adam Langley's Chromium OpenSSL patchset.

To conclude, Bob warns against portable LibreSSL knockoffs, and asks the community for Funding Commitment -- the Linux Foundation is turning a blind eye to LibreSSL, and instead is only committed to funding OpenSSL directly, despite the apparent lack of security-oriented direction within the OpenSSL project upstream. Funding can be directed to the OpenBSD Foundation.

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 4, Informative) by melikamp on Sunday May 18 2014, @07:24AM

    by melikamp (1886) on Sunday May 18 2014, @07:24AM (#44799) Journal
    From the presentation:

    "Weaponized" Comic Sans:
    "This page scientifically designed to annoy web hipsters - donate now"
    Actually quite sad that far more people will express their outrage over the use of Comic Sans on a web site than reading the asn1 code and expressing their outrage over that.
    Having said that we did get a nice amount of Paypal donations when I put that up.

    Starting Score:    1  point
    Moderation   +2  
       Informative=2, Total=2
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   4  
  • (Score: 1) by Refugee from beyond on Sunday May 18 2014, @09:46AM

    by Refugee from beyond (2699) on Sunday May 18 2014, @09:46AM (#44815)

    >"This page scientifically designed to annoy web hipsters - donate now"

    That's hardly professional attitude, though.

    --
    Instantly better soylentnews: replace background on article and comment titles with #973131.
    • (Score: 2) by Nerdfest on Sunday May 18 2014, @02:12PM

      by Nerdfest (80) on Sunday May 18 2014, @02:12PM (#44870)

      Having a sense of humour in a presentation is hardly unprofessional. It's also great marketing most of the time as it gets some attention, and in this case, likely attention from the correct audience.

      • (Score: 1) by Refugee from beyond on Sunday May 18 2014, @02:23PM

        by Refugee from beyond (2699) on Sunday May 18 2014, @02:23PM (#44876)

        Calling names is, though.

        --
        Instantly better soylentnews: replace background on article and comment titles with #973131.
        • (Score: 1) by steveha on Monday May 19 2014, @07:45AM

          by steveha (4100) on Monday May 19 2014, @07:45AM (#45123)

          Calling names is [unprofessional]

          Yeah. I watched the YouTube video of the presentation, and I'm of two minds about it. On the one hand, it's kind of unprofessional to just keep slamming the OpenSSL guys. On the other hand... it seems like the OpenSSL guys really deserve all the abuse. (Horrible security issues languishing for four years, unfixed? WTF?)

          I have to agree that the OpenSSL situation was so dire that a hostile fork really was justified. I'm cheering for the LibreSSL guys, and I look forward to future presentations where they will talk more about cool technical security stuff and not so much about how truly awful OpenSSL was.

          • (Score: 0) by Anonymous Coward on Monday May 19 2014, @10:36AM

            by Anonymous Coward on Monday May 19 2014, @10:36AM (#45158)

            The name calling mentioned by GP is probably in relation to the word hipster being used to describe the GPer. The presentation doesn't attack any OpenSSL developer. Either directly or as a group. It does mention that their code is crap, which is an objective truth. And points to a possible reason: OpenSSL inc. which again does objectively exist and it does what it does. If they or someone by proxy feel offended, they are free to change jobs. OpenSSL inc. doesn't have them as slaves, I suppose.

  • (Score: 2) by maxwell demon on Sunday May 18 2014, @10:04AM

    by maxwell demon (1608) on Sunday May 18 2014, @10:04AM (#44818) Journal

    If all you want is to annoy web hipsters, then all you have to do is to use HTML without any fancy CSS. Use basic HTML items, let the browser choose colours and fonts, use nothing than bare HTML. This will annoy web hipsters without annoying almost everyone else.

    --
    The Tao of math: The numbers you can count are not the real numbers.
    • (Score: 2) by kaszz on Sunday May 18 2014, @12:35PM

      by kaszz (4211) on Sunday May 18 2014, @12:35PM (#44845) Journal

      Web hipsters can donate money for computer upgrades to read their mudpool of fluff. Here on it will be HTML v2 if lucky and hey it just works :P