PaulSpoerry.com

Social Media, technology, and geeky stuff for your brain.

  • Home
  • About
    • Privacy Policy
  • Categories
    • Google+ Posts
    • Site news
    • Tech
      • Android
      • Apple
      • Chrome
      • Gadgets
      • Hacking
      • Linux
      • OSX
      • Privacy
      • Web Life
        • Bittorrent
        • Facebook
        • FireFox
        • GMail
        • Google
        • Google+
        • Twitter
        • WordPress
        • Windows
          • Windows 7
    • Google+: Getting Started Guides
    • Games
    • Meditation
    • Politics
    • Science
    • That’s freakin hilarious
  • Code
    • FreeImageZoom
    • Post Editor for Google+™
    • The Plus Editor
  • Contact
You are here: Home / Google+ Posts / OpenBSD developers remove 90,000 lines of OpenSSL code and "the codebase is…

OpenBSD developers remove 90,000 lines of OpenSSL code and "the codebase is…

April 23, 2014 by Paul Spoerry 7 Comments

OpenBSD developers remove 90,000 lines of OpenSSL code and "the codebase is still API compatible… declare OpenSSL is beyond repair and begin LibreSSL fork

OpenSSL and it's Hearthbleed bug affected around 17%… or half a million of the Internet's secure web servers certified by trusted authorities. The bug potentially allowed attackers to access user names, passwords, or even the cryptographic keys of the server used for SSL. After reviewing the code for OpenSSL OpenBSD founder Theo de Raadt has created a fork claiming that OpenSSL cannot be salvaged. De Raadt told ZDNet that his team has removed 90,000 lines of C code. "Even after all those changes, the codebase is still API compatible," he said. "Our entire ports tree (8,700 applications) continue to compile and work after all these changes."

It's insane to think that something that protects so many consumers has so little resources attached to it. It'll be interesting to see if LibreSSL takes over, if OpenSSL gets funding to clean up it's code, or if everyone is just lazy and leaves it as is until the next bug comes up.

http://www.libressl.org/

OpenSSL code beyond repair, claims creator of “LibreSSL” fork
OpenBSD developers “removed half of the OpenSSL source tree in a week.”

View this post on Google+

Filed Under: Google+ Posts

About Paul Spoerry

I’m a groovy cat who’s into technology, Eastern Thought, and house music. I’m a proud and dedicated father to the coolest little guy on the planet (seriously, I'm NOT biased). I’m fascinated by ninjas, the Internet, and anybody who can balance objects on their nose for long periods of time.

I have a utility belt full of programming languages and a database of all my knowledge on databases... I practice code fu. Oh, I've also done actual Kung Fu, and have a black belt in Tae Kwon Do.

I run. I meditate. I dance. I blog at PaulSpoerry.com, tweet @PaulSpoerry, and I'm here on Google+.

I'm currently work for IBM developing web enabled insurance applications for IBM and support and develop a non-profit called The LittleBigFund.

Comments

  1. David Ford says

    April 23, 2014 at 5:17 pm

    keep in mind that the openbsd ports code is not feature compatible with the rest of the world. openbsd is extremely minimal. theo gets off on throwing shit at people and grandstanding

  2. Brian Turner says

    April 23, 2014 at 10:30 pm

    On the last Security Now podcast, Steve Gibson pretty much says 'hell no' (but not in those words) to using libressl, so that's worth considering. His reasoning is pretty straightforward: do these guys really know what they're yanking out of the code? Are they sure that they're not ripping out code that might be needed?

    I can't help but agree. OpenSSL might have problems, but other than the recent thing with Heartbleed (which is now fixed) it's been pretty solid over the years. Old code? Yes. Reliable and still trusted? Yes.

  3. Paul Spoerry says

    April 24, 2014 at 1:14 am

    Yeah I can't really comment on what they're ripping out. That said… Reliable and old… maybe?! I mean Heartbleed was in there "unnoticed" for 2+ years?!

  4. David Ford says

    April 24, 2014 at 1:29 am

    yup. openssl needs a good shake to get all the junk out, but this valhalla rampage thing is just a publicity thing. in a month everyone will have forgotten about openbsd again and the openbsd trolls will go back to their lonely caves

  5. Paul Spoerry says

    April 24, 2014 at 1:33 am

    What is this OpenBSD you speak of?  lol

  6. Scott Duensing says

    April 24, 2014 at 1:44 am

    OpenSSL suffers from code growth.  There's been a lot of things added, patched, hacked, fixed, worked around, etc. without a major refactoring effort to clean the entire thing up.  It's probably easier to just start over.  That said, there needs to be a damn good set of unit tests made and run against the existing code so the new developers know what to expect.   And maybe read a few RFCs.   🙂

  7. Brian Turner says

    April 24, 2014 at 2:06 am

    The good thing about someone going over the code is that there are eyes on the code searching for other faults. I just hope that those eyes know what to look for.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Copyright © 2023 · Epik on Genesis Framework · WordPress · Log in