Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: OpenSSL Rampage - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
OpenSSL Rampage

OpenSSL, in spite of its name, isn't really a part of the OpenBSD project. But as one of the more positive results of the recent Heartbleed fiasco, the OpenBSD developers, who are known for their focus on readable and secure code, have now started a full-scale review and cleanup of the OpenSSL codebase.

If you are interested in writing secure code in C (not necessarily a contradiction in terms), I recommend you take a look at http://opensslrampage.org/archive/2014/4, where the OpenBSD-OpenSSL diffs and code changes are coming in fast, and are often accompanied by cynical but instructive comments. As one poster put it, "I don't know if I should laugh or cry". The good news though definitely is that the OpenSSL code is being looked at, carefully and expertly, and everyone will be better off for it.

Daniel

367 Posts
ISC Handler
While probably well intentioned, they may not understand the full ramifications of their changes. One response to one of their changes is at

http://blog.ngas.ch/archives/2014/04/17/what_is_this_private_key_doing_in_my_random_pool/index.html
Anonymous
That site is not official, and in fact there is no real project site other than the codebase. But there is a full-out fork going on (although there's a lot more knife than fork involved).
http://www.zdnet.com/openbsd-forks-prunes-fixes-openssl-7000028613/
Larry Seltzer

24 Posts

Sign Up for Free or Log In to start participating in the conversation!