OpenSSL To Undergo Security Audit, Gets Cash For 2 Developers

Trailrunner7 (1100399) writes "Scarcely a month after announcing the formation of a group designed to help fund open source projects, the Core Infrastructure Initiative has decided to provide the OpenSSL Project with enough money to hire two full-time developers and also will fund an audit of OpenSSL by the Open Crypto Audit Project. The CII is backed by a who's who of tech companies, including Google, Microsoft, IBM, the Linux Foundation, Facebook and Amazon, and the group added a number of new members this week, as well. Adobe, Bloomberg, HP Huawei and Salesforce.com have joined the CII and will provide financial backing. Now, the OCAP team, which includes Johns Hopkins professor and cryptographer Matthew Green, will have the money to fund an audit of OpenSSL, as well. OpenSSL took a major hit earlier this year with the revelation of the Heartbleed vulnerability, which sent the Internet into a panic, as the software runs on more than 60 percent of SSL-protected sites."

Why bother?

[Anonymous Coward]

The whole security model is broken. How many CAs does your browser come with these days? Do you even know? How do you know they haven't already turned over their CA signing keys to 7 different governments?

There's no way to "fix" openssl. The entire thing is predicated on a false premise.

Share and Share Alike

[just_another_sean]

While I applaud the efforts and support I do hope that the work of others [opensslrampage.org] will not be ignored. The audit is great news, but I do hope the existing and new developers will look to LibreSSL for code updates, ideas and their own audit results. If we can get a nice bidirectional and completely cooperative flow between the two projects than hopefully the final result will be a highly secured, audited product that we can all use.

"Audit"? Try massive rewrite.

[rbrander]

The comments from the folks who started LibreSSL at a meeting of the Calgary Unix Users Group the other night were beyond scathing. Bob Beck's first slide shows Laura Dern in Jurassic Park, up to her elbows in stegasaurus dung, as a metaphor for what the first skim of the code felt like. It's a hopelessly overpatched mess of spaghetti code and #IFNDEF mazes that nobody can really maintain. Their fork has already tossed out tens of thousands of lines of code and started again. (Another slide shows the line from Aliens: "Nuke it from orbit. It's the only way to be sure").

If not a from-scratch rewrite, think of a home reno where you have to strip it to the frame and put up new drywalls.
And this situation was allowed to grow by the current bunch that manage OpenSSL; they're only doing this at all because one of the hundreds of time-bombs in the code finally went off, and anybody who's looked it knows how many hundreds more there are. For shame.

There's a link to the slides from the libressl.org site, which is very minimal, as they say "We're too busy deleting code to make web pages".

It was just a very sobering presentation. To think we let so much depend on a pile of cruft.

Comment removed

[account_deleted]

Comment removed based on user account deletion

LibreSSL For Me

[Anonymous Coward]

Two developers added to an already crummy project? Ha! I'll send my money to the OpenBSD project, instead. OpenSSH and pf are just two examples of how they got the job done when outside projects fail to deliver. They'll do the same with LibreSSL, and in a year most everybody will have switched.

Send the OpenBSD project some money: http://www.openbsdfoundation.org/

Re:Why bother?

[Imagix]

Yet again, another person who can't distinguish between the technology and a particular application of that technology. What you're complaining about has nothing to do with the implementation of OpenSSL (which is what this article is about), but has to do with the application of OpenSSL. OpenSSL is doing it's job by verifying the presented certificates against the list of trusted certificate authorities that you have configured. The fact that you're trusting too many people isn't a problem with OpenSSL. (It is also not OpenSSL's concern as to how you obtained your list of trusted CAs, only that you have one.)

Re:"Audit"? Try massive rewrite.

[QuietLagoon]

...Humans make mistakes. Clever people make just as many mistakes....

You left out the part about clever people not continuing to make the same mistakes over and over.

.
The problem with OpenSSL is not that mistakes were made.

The problem is that mistakes were made and the developers did not learn from those mistakes, did not seem to care about fixing those mistakes, and did not care about preventing similar mistakes from recurring.

Re:wrong direction.

[colfer]

The big companies probably want more control over the project than LibreSSL will allow them. They've been burned once by relying on old-style Unix community dev. But it's also entirely their own fault for not funding and auditing the open source code they were building their billions on.

Seems to me LibreSSL is the way to go, but I can also see why the corporations would just use it as a side-stream for hints on what to fix. They have enough resources to rewrite openSSL from the inside rather than the the LibreSSL tear-down approach. Having both projects is really a benefit for LibreSSL as longs as it gets sufficient interest and resources.

Re:"Audit"? Try massive rewrite.

[Wootery]

The problem is that mistakes were made and the developers did not learn from those mistakes, did not seem to care about fixing those mistakes, and did not care about preventing similar mistakes from recurring.

To play Devil's advocate (or rather, advocate of the developers): if they were a properly resources software-development team, they might have been better able to pay off the technical-debt accumulating in the codebase. Hopefully this injection of resources will change things for the better. (The LibreSSL crew seem to be making good progress on the technical debt front, also.)