[kwlug-disc] Stronger SSH keys and SSL certificates

Khalid Baheyeldin kb at 2bits.com
Tue Apr 22 12:54:15 EDT 2014

My own explanation:

The "given enough eyeballs all bugs are shallow" adage is true, and is true
in the case of OpenSSL as well. Even though the source code is open, there
were not enough eyeballs.

OpenSSL's code is complex, has a lot of cruft, uses its own memory
management, and supports too many obsolete platforms. So for many, it is
scary, inelegant, legacy, yucky, and the like.

Therefore there are effectively only a few eyeballs, if any, on it, hence
the bug remained in the code for 2 years.

Of course the process could be improved by mandating more rigorous code
reviews (e.g. 2 people have to vouch for the commit) before accepting a

The OpenBSD folk are ripping out all the old cruft from OpenSSL, and it has
been forked as LibreSSL as well.

On Tue, Apr 22, 2014 at 12:17 PM, CrankyOldBugger <crankyoldbugger at gmail.com
> wrote:

> Interesting line in
> http://arstechnica.com/information-technology/2014/04/openssl-code-beyond-repair-claims-creator-of-libressl-fork/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+arstechnica%2Findex+%28Ars+Technica+-+All+content%29, from OpenSSL Software Foundation President Steve Marquess:
> [As for Heartbleed], "the mystery is not that a few overworked volunteers
> missed this bug," Marquess wrote. "The mystery is why it hasn’t happened
> more often."
> On 22 April 2014 09:37, Giles Malet <gdmalet at gmail.com> wrote:
>> On 04/22/2014 03:42 AM, unsolicited wrote:
>>> So, now not only are you postulating that the NSA has injected source
>>> code into OpenSSL, and successfully had it accepted world wide for all
>>> compile from source repositories (otherwise there would be no point,
>>> there would be nothing on the other side of the connection for the NSA
>>> to exploit), you are suggesting that simultaneously they have done so
>>> into gcc to accept and hide the exploit.  [...]
>> I said none of that. Could you please keep your attributions correct. I
>> merely pointed out that one of your assertions is factually incorrect.
>> g
>> _______________________________________________
>> kwlug-disc mailing list
>> kwlug-disc at kwlug.org
>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org

Khalid M. Baheyeldin
2bits.com, Inc.
Fast Reliable Drupal
Drupal optimization, development, customization and consulting.
Simplicity is prerequisite for reliability. --  Edsger W.Dijkstra
Simplicity is the ultimate sophistication. --   Leonardo da Vinci
For every complex problem, there is an answer that is clear, simple, and
wrong." -- H.L. Mencken
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20140422/1506fc53/attachment.html>

More information about the kwlug-disc mailing list