OpenSSL and it's Hearthbleed bug affected around 17%… or half a million of the Internet's secure web servers certified by trusted authorities. The bug potentially allowed attackers to access user names, passwords, or even the cryptographic keys of the server used for SSL. After reviewing the code for OpenSSL OpenBSD founder Theo de Raadt has created a fork claiming that OpenSSL cannot be salvaged. De Raadt told ZDNet that his team has removed 90,000 lines of C code. "Even after all those changes, the codebase is still API compatible," he said. "Our entire ports tree (8,700 applications) continue to compile and work after all these changes."
It's insane to think that something that protects so many consumers has so little resources attached to it. It'll be interesting to see if LibreSSL takes over, if OpenSSL gets funding to clean up it's code, or if everyone is just lazy and leaves it as is until the next bug comes up.
OpenSSL code beyond repair, claims creator of “LibreSSL” fork
OpenBSD developers “removed half of the OpenSSL source tree in a week.”
keep in mind that the openbsd ports code is not feature compatible with the rest of the world. openbsd is extremely minimal. theo gets off on throwing shit at people and grandstanding
On the last Security Now podcast, Steve Gibson pretty much says 'hell no' (but not in those words) to using libressl, so that's worth considering. His reasoning is pretty straightforward: do these guys really know what they're yanking out of the code? Are they sure that they're not ripping out code that might be needed?
I can't help but agree. OpenSSL might have problems, but other than the recent thing with Heartbleed (which is now fixed) it's been pretty solid over the years. Old code? Yes. Reliable and still trusted? Yes.
Yeah I can't really comment on what they're ripping out. That said… Reliable and old… maybe?! I mean Heartbleed was in there "unnoticed" for 2+ years?!
yup. openssl needs a good shake to get all the junk out, but this valhalla rampage thing is just a publicity thing. in a month everyone will have forgotten about openbsd again and the openbsd trolls will go back to their lonely caves
What is this OpenBSD you speak of? lol
OpenSSL suffers from code growth. There's been a lot of things added, patched, hacked, fixed, worked around, etc. without a major refactoring effort to clean the entire thing up. It's probably easier to just start over. That said, there needs to be a damn good set of unit tests made and run against the existing code so the new developers know what to expect. And maybe read a few RFCs. 🙂
The good thing about someone going over the code is that there are eyes on the code searching for other faults. I just hope that those eyes know what to look for.