<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 07/02/2015 12:12, Michael Felt
wrote:<br>
</div>
<blockquote
cite="mid:CANvxniX9eyam8TbBnxPz2qUvAj05r2FHm_+BEGEdM-Do2hws5A@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>From someone who does NOT understand the in's
and out's of what people (developers and users)
have been using openSSL for.<br>
</div>
My first reaction is: have developers been using
openSSL, or has it gone to abusing it?<br>
</div>
For the sake of argument - let's say just use as it
has always been intended.<br>
<br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<tt>Fundamentally, since its inception by EAY years ago, "OpenSSL"<br>
has provided two things to other software developers: A very<br>
popular implementation of the SSL protocols defined by<br>
Netscape/Mozilla/IETF, and an equally popular library of<br>
fundamental cryptographic building blocks such as large<br>
numbers and various types of encryption and decryption.</tt><tt><br>
<br>
My criticism of the OpenSSL changes in the future version<br>
1.1.0 is that they are removing the most flexible building<br>
blocks from the part that is intended to be used.<br>
</tt><br>
<blockquote
cite="mid:CANvxniX9eyam8TbBnxPz2qUvAj05r2FHm_+BEGEdM-Do2hws5A@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>Many technologies - especially related to security
- whether it be a big log through 'something', to
skeleton keys', to digital keys, etc - we want to be
able to trust our locks. When the lock technology is
no longer trustworthy - whether it be packaging (which
is what the discussion sounds like atm) or
unrepairable "concerns" with the technology asis - we
change our locks.<br>
<br>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<tt>2014 saw some widely published problems with various SSL<br>
variants.<br>
<br>
"Heartbleed" was a programming error found *only* in<br>
the OpenSSL SSL code and did not affect the handful of<br>
competing SSL implementations (such as the NSS one by<br>
Mozilla and the STUNNEL one by Microsoft). Essentially,<br>
heartbleed allowed people to put a hook through the<br>
keyhole and steal the key from behind the locked door.<br>
<br>
"Poodle" was a new way to attack a known weakness in<br>
the old version 3.0 of the SSL protocol, affecting all<br>
implementations, combined with a weakness in how Web<br>
Browsers work around bad SSL libraries that refuse to<br>
even reply to requests for protocol version 3.1 ("TLS<br>
1.0"). On top of that, it turned out that a few minor<br>
competing SSL implementations (not OpenSSL, NSS and<br>
STUNNEL) never implemented the TLS 1.0 protection<br>
against the known weakness, leading to a rumor that<br>
poodle affected all "TLS 1.0" implementations, and<br>
not just the few broken ones.</tt><tt><br>
<br>
</tt>
<blockquote
cite="mid:CANvxniX9eyam8TbBnxPz2qUvAj05r2FHm_+BEGEdM-Do2hws5A@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>Not everyone changes locks at the same moment in
time. urgency depends on need, i.e., what is at risk.<br>
<br>
</div>
I started following these discussions because I am
concerned (remember I am not really interested in the
inner workings. I just think my locks are broken and
wondering if it is time to change to something that maybe
"can do less" - but what it does, does it better than what
I have now.<br>
<br>
</div>
Regardless of the choices made by openssl - people outside
openssl have needs and are looking at alternatives. To
someone like me it is obvious something must change - even
if technically it is cosmetic - because (open)SSL is losing
the trust of it's users.<br>
<br>
</div>
As a user - I need a alternative. And just as I stopped using
telnet/ftp/rsh/etc- because I could not entrust the integrity
of my systems when those doors were open - so are my concerns
re: (open)SSL. In short, is SSL still secure? And, very
simply, as an un-knowledgeable user - given the choice of a
library that does something well - and that's it, versus
something else that does that - but leaves room for
'experiments' - Not on my systems. Experiment in
experiment-land.<br>
<br>
</div>
My two bits.<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Feb 6, 2015 at 9:59 PM, Matt
Caswell <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex"><span
class=""><br>
<br>
On 06/02/15 16:03, Jakob Bohm wrote:<br>
> I believe you have made the mistake of discussing
only amongst<br>
> yourselves, thus gradually convincing each other of
the<br>
> righteousness of a flawed decision.<br>
<br>
<br>
</span>...and, Rich said in a previous email (in response to
your comment):<br>
<span class="">>> I fear that this is an indication
that you will be killing<br>
>> off all the other non-EVP entrypoints in
libcrypto<br>
><br>
> Yes there is a good chance of that happening.<br>
<br>
</span>I'd like to stress that there has been no decision.
In fact we're not<br>
even close to a decision on that at the moment.<br>
<br>
Whilst this has certainly been discussed I don't believe we
are near to<br>
a consensus view at the moment. So whilst there is a good
chance of that<br>
happening....there's also a very good chance of it not. It
is still<br>
under discussion.<br>
<span class="HOEnZb"></span></blockquote>
</div>
</div>
</blockquote>
<pre class="moz-signature" cols="72">Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. <a class="moz-txt-link-freetext" href="http://www.wisemo.com">http://www.wisemo.com</a>
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded </pre>
</body>
</html>