Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Sunday May 18 2014, @05:44AM   Printer-friendly
from the got-your-acronyms-here dept.

Bob Beck who is an OpenBSD, OpenSSH, and LibreSSL developer as well as the director of Alberta-based non-profit OpenBSD Foundation gave a talk earlier today at BSDCan 2014 in Ottawa, discussing and illustrating the OpenSSL problems that have led to the creation of a big fork of OpenSSL that is still API-compatible with the original, providing a drop-in replacement, without the #ifdef spaghetti and without its own "OpenSSL C" dialect.

Bob is claiming that the Maryland-incorporated OpenSSL Foundation is nothing but a for-profit front for FIPS consulting gigs, and that noone at OpenSSL is actually interested in maintaining OpenSSL, but merely adding more and more features, with the existing bugs rotting in bug-tracking for a staggering 4 years (CVE-2010-5298 has been independently re-discovered by the OpenBSD team after having been quietly reported in OpenSSL's RT some 4 years prior).

Bob reports that the bug-tracking system abandoned by OpenSSL has actually been very useful to the OpenBSD developers at finding and fixing even more of OpenSSL bugs in downstream LibreSSL, which still remain unfixed in upstream OpenSSL.

It is revealed that a lot of crude cleaning has already been completed, and the process is still ongoing, but some new ciphers already saw their addition to LibreSSL RFC 5639 EC Brainpool, ChaCha20, Poly1305, FRP256v1, and some derivatives based on the above, like ChaCha20-Poly1305 AEAD EVP from Adam Langley's Chromium OpenSSL patchset.

To conclude, Bob warns against portable LibreSSL knockoffs, and asks the community for Funding Commitment -- the Linux Foundation is turning a blind eye to LibreSSL, and instead is only committed to funding OpenSSL directly, despite the apparent lack of security-oriented direction within the OpenSSL project upstream. Funding can be directed to the OpenBSD Foundation.

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by pe1rxq on Sunday May 18 2014, @01:57PM

    by pe1rxq (844) on Sunday May 18 2014, @01:57PM (#44865) Homepage

    Did you really have a good look at the presentation?
    Just do a quick calculation on how many thousands of lines of code they removed every day on average! There is no way they read and fully understood every one of them.

    LibreSSL might end up being the best crypto library ever. But right now I am supposed to think they are great because 'we can make the other guys look stupid'.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 0) by Anonymous Coward on Sunday May 18 2014, @02:18PM

    by Anonymous Coward on Sunday May 18 2014, @02:18PM (#44873)

    reading the commit log, the other guys really asked for it

    When it comes to security, I trust the OpenBSD team a whole lot more than everyone else. They're good at it and they do it for free and ask for donations later. OpenSSL may be called a foundation but it's a for-profit consultant company that obviously didn't even care about fixes people submitted to their bugtracker. You're not supposed to think anything, just look at the evidence and draw a conclusion.

    • (Score: 2) by pe1rxq on Sunday May 18 2014, @09:59PM

      by pe1rxq (844) on Sunday May 18 2014, @09:59PM (#45015) Homepage

      The OpenBSD team indeed has a great reputation with respect to security.
      Unfortunatly they also have a bad reputation of trash talking with Theo being the posterboy of anti-social behavior.