[kwlug-disc] Stronger SSH keys and SSL certificates

Jeff Smith crankyoldbugger at gmail.com
Thu Apr 24 10:20:21 EDT 2014


Some more good news on this topic, it seems the Linux Foundation has rounded up a bunch of companies who've agreed to give regular donations to the cause:
http://arstechnica.com/information-technology/2014/04/tech-giants-chastened-by-heartbleed-finally-agree-to-fund-openssl/#p3


Date: Tue, 22 Apr 2014 12:54:15 -0400
From: kb at 2bits.com
To: kwlug-disc at kwlug.org
Subject: Re: [kwlug-disc] Stronger SSH keys and SSL certificates

My own explanation:

The "given enough eyeballs all bugs are shallow" adage is true, and is true in the case of OpenSSL as well. Even though the source code is open, there were not enough eyeballs.


OpenSSL's code is complex, has a lot of cruft, uses its own memory management, and supports too many obsolete platforms. So for many, it is scary, inelegant, legacy, yucky, and the like.

Therefore there are effectively only a few eyeballs, if any, on it, hence the bug remained in the code for 2 years.


Of course the process could be improved by mandating more rigorous code reviews (e.g. 2 people have to vouch for the commit) before accepting a change.

The OpenBSD folk are ripping out all the old cruft from OpenSSL, and it has been forked as LibreSSL as well.




On Tue, Apr 22, 2014 at 12:17 PM, CrankyOldBugger <crankyoldbugger at gmail.com> wrote:

Interesting line in http://arstechnica.com/information-technology/2014/04/openssl-code-beyond-repair-claims-creator-of-libressl-fork/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+arstechnica%2Findex+%28Ars+Technica+-+All+content%29 , from OpenSSL Software Foundation President Steve Marquess:


[As for Heartbleed], "the mystery is not that a few overworked volunteers missed this bug," Marquess wrote. "The mystery is why it hasn’t happened more often."






On 22 April 2014 09:37, Giles Malet <gdmalet at gmail.com> wrote:

On 04/22/2014 03:42 AM, unsolicited wrote:


So, now not only are you postulating that the NSA has injected source

code into OpenSSL, and successfully had it accepted world wide for all

compile from source repositories (otherwise there would be no point,

there would be nothing on the other side of the connection for the NSA

to exploit), you are suggesting that simultaneously they have done so

into gcc to accept and hide the exploit.  [...]




I said none of that. Could you please keep your attributions correct. I merely pointed out that one of your assertions is factually incorrect.



g







_______________________________________________

kwlug-disc mailing list

kwlug-disc at kwlug.org

http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org




_______________________________________________

kwlug-disc mailing list

kwlug-disc at kwlug.org

http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org




-- 
Khalid M. Baheyeldin
2bits.com, Inc.
Fast Reliable Drupal
Drupal optimization, development, customization and consulting.

Simplicity is prerequisite for reliability. --  Edsger W.Dijkstra
Simplicity is the ultimate sophistication. --   Leonardo da Vinci
For every complex problem, there is an answer that is clear, simple, and wrong." -- H.L. Mencken




_______________________________________________
kwlug-disc mailing list
kwlug-disc at kwlug.org
http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20140424/043dd7b2/attachment-0001.html>


More information about the kwlug-disc mailing list