Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: OpenSSL Rampage SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
OpenSSL Rampage

OpenSSL, in spite of its name, isn't really a part of the OpenBSD project. But as one of the more positive results of the recent Heartbleed fiasco, the OpenBSD developers, who are known for their focus on readable and secure code, have now started a full-scale review and cleanup of the OpenSSL codebase.

If you are interested in writing secure code in C (not necessarily a contradiction in terms), I recommend you take a look at, where the OpenBSD-OpenSSL diffs and code changes are coming in fast, and are often accompanied by cynical but instructive comments. As one poster put it, "I don't know if I should laugh or cry". The good news though definitely is that the OpenSSL code is being looked at, carefully and expertly, and everyone will be better off for it.


385 Posts
ISC Handler
Apr 21st 2014
While probably well intentioned, they may not understand the full ramifications of their changes. One response to one of their changes is at
That site is not official, and in fact there is no real project site other than the codebase. But there is a full-out fork going on (although there's a lot more knife than fork involved).
Larry Seltzer

26 Posts

Sign Up for Free or Log In to start participating in the conversation!