[openssl-users] The evolution of the 'master' branch

Jakob Bohm jb-openssl at wisemo.com
Tue Feb 10 01:16:33 UTC 2015


On 07/02/2015 12:12, Michael Felt wrote:
> From someone who does NOT understand the in's and out's of what people 
> (developers and users) have been using openSSL for.
> My first reaction is: have developers been using openSSL, or has it 
> gone to abusing it?
> For the sake of argument - let's say just use as it has always been 
> intended.
>
Fundamentally, since its inception by EAY years ago, "OpenSSL"
has provided two things to other software developers: A very
popular implementation of the SSL protocols defined by
Netscape/Mozilla/IETF, and an equally popular library of
fundamental cryptographic building blocks such as large
numbers and various types of encryption and decryption.

My criticism of the OpenSSL changes in the future version
1.1.0 is that they are removing the most flexible building
blocks from the part that is intended to be used.

> Many technologies - especially related to security - whether it be a 
> big log through 'something', to skeleton keys', to digital keys, etc - 
> we want to be able to trust our locks. When the lock technology is no 
> longer trustworthy - whether it be packaging (which is what the 
> discussion sounds like atm) or unrepairable "concerns" with the 
> technology asis - we change our locks.
>
2014 saw some widely published problems with various SSL
variants.

   "Heartbleed" was a programming error found *only* in
the OpenSSL SSL code and did not affect the handful of
competing SSL implementations (such as the NSS one by
Mozilla and the STUNNEL one by Microsoft).  Essentially,
heartbleed allowed people to put a hook through the
keyhole and steal the key from behind the locked door.

   "Poodle" was a new way to attack a known weakness in
the old version 3.0 of the SSL protocol, affecting all
implementations, combined with a weakness in how Web
Browsers work around bad SSL libraries that refuse to
even reply to requests for protocol version 3.1 ("TLS
1.0").  On top of that, it turned out that a few minor
competing SSL implementations (not OpenSSL, NSS and
STUNNEL) never implemented the TLS 1.0 protection
against the known weakness, leading to a rumor that
poodle affected all "TLS 1.0" implementations, and
not just the few broken ones.

> Not everyone changes locks at the same moment in time. urgency depends 
> on need, i.e., what is at risk.
>
> I started following these discussions because I am concerned (remember 
> I am not really interested in the inner workings. I just think my 
> locks are broken and wondering if it is time to change to something 
> that maybe "can do less" - but what it does, does it better than what 
> I have now.
>
> Regardless of the choices made by openssl - people outside openssl 
> have needs and are looking at alternatives. To someone like me it is 
> obvious something must change - even if technically it is cosmetic - 
> because (open)SSL is losing the trust of it's users.
>
> As a user - I need a alternative. And just as I stopped using 
> telnet/ftp/rsh/etc- because I could not entrust the integrity of my 
> systems when those doors were open - so are my concerns re: (open)SSL. 
> In short, is SSL still secure? And, very simply, as an 
> un-knowledgeable user - given the choice of a library that does 
> something well - and that's it, versus something else that does that - 
> but leaves room for 'experiments' - Not on my systems. Experiment in 
> experiment-land.
>
> My two bits.
>
> On Fri, Feb 6, 2015 at 9:59 PM, Matt Caswell <matt at openssl.org 
> <mailto:matt at openssl.org>> wrote:
>
>
>
>     On 06/02/15 16:03, Jakob Bohm wrote:
>     > I believe you have made the mistake of discussing only amongst
>     > yourselves, thus gradually convincing each other of the
>     > righteousness of a flawed decision.
>
>
>     ...and, Rich said in a previous email (in response to your comment):
>     >> I fear that this is an indication that you will be killing
>     >> off all the other non-EVP entrypoints in libcrypto
>     >
>     > Yes there is a good chance of that happening.
>
>     I'd like to stress that there has been no decision. In fact we're not
>     even close to a decision on that at the moment.
>
>     Whilst this has certainly been discussed I don't believe we are
>     near to
>     a consensus view at the moment. So whilst there is a good chance
>     of that
>     happening....there's also a very good chance of it not. It is still
>     under discussion.
>
Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150210/b1a4e385/attachment-0001.html>


More information about the openssl-users mailing list