Jump to content
Not connected, Your IP: 3.142.251.204

Recommended Posts

Doesn't you find it odd that OpenSSL experiences a fatal bug and a project called LibreSSL begs for money just a few days after the publication of the bug?

I do.

 

I never trusted LibreSSL and probably never will. I feel it wrong to provide them with money just because they say they aim to become a better product than OpenSSL ever was. OpenSSL is a standard.

Now many donors felt the need to donate to the new project instead of helping the old. I find it highly wrong.

 

I request one-time or even recurring donations to OpenSSL to fund new developers who help them code.

Because one developer is not enough to implement new features while improving security and maintaining stability of the project.


NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

Dr. Steven Henson is the only "permanent employee" in the OpenSSL Software Foundation.

 

But the bugged code has been suggested by a german developer who works for Deutsche Telekom today. He was part of a research project at FH Münster back then. Dr. Henson hasn't seen the bug; if there were more developers it might have been seen and fixed before patching.

 

By the way, Steve Marquess published a post in his blog about OpenSSL one or two weeks after the bug has been published. He is the only one in charge of financial things about the project and personally wrote that it lacks money to "employ" full-time developers.

 

Official statement by the suggesting developer:
 

„Ich habe im Rahmen eines Forschungsprojektes an der FH Münster die bekannte Verschlüsselungsbibliothek OpenSSL genutzt und die während meiner Arbeit entstandenen Bugfixes und neuen Features dem OpenSSL Projekt zur Verfügung gestellt. Nach Prüfung durch ein Mitglied des OpenSSL Entwicklungsteams wurden die jeweiligen Änderungen in den offiziellen Code übernommen. Bei einer Erweiterung, der TLS/DTLS Heartbeat Extension, unterlief mir der Fehler, eine Variable mit einer Längenangabe nicht auf einen sinnvollen Wert zu überprüfen. Dies ermöglichte den jetzt gefundenen und nach der Erweiterung benannten Heartbleed Bug. Leider hat auch der OpenSSL Entwickler, der den Review des Codes durchgeführt hat, die fehlende Überprüfung nicht bemerkt. Dadurch wurde der fehlerhafte Code in die Entwicklungsversion übernommen, aus der später die veröffentlichte Version wurde.

 

Da die Länge nicht auf Plausibilität geprüft wurde, konnte unter Angabe von eigentlich ungültigen Werten mehr Speicher als vorgesehen ausgelesen werden. Dadurch entstand eine Zugriffsmöglichkeit auf sicherheitsrelevante Daten, und ein eigentlich einfacher Fehler hat schwerwiegende Folgen. [...]"

(Translation, may not be 100% accurate)

"In the context of a research project at FH Münster I used the known encryption library OpenSSL and made new features and bugfixes arising from my work aviable for the OpenSSL project. After a member of the OpenSSL developer team reviewed the code it got applied to the official code. In one extension, the TLS/DTLS Heartbeat Extension, I failed to check a variable containing a length value on validity. This opened up the Heartbleed bug, named after the extension's name. Unfortunately the OpenSSL developer reviewing the code also failed to notice the missing check. The bugged code has been applied to the beta code followed by the official release.

 

Because the length hasn't been checked for validity, by entering invalid values it was possible to read more memory which created the opportunity to read security related data. A simple error can lead to dire consequences. [...]"


NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

Ah yeah, I read of that, too, I failed to mention it. Thanks for the addition.


NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

Dr. Steven Henson is the only "permanent employee" in the OpenSSL Software Foundation.

 

But the bugged code has been suggested by a german developer who works for Deutsche Telekom today. He was part of a research project at FH Münster back then. Dr. Henson hasn't seen the bug; if there were more developers it might have been seen and fixed before patching.

Sadly true... Anyway, OpenSSL should be getting soon enough money from the CII (currently made of Google, Microsoft, IBM, Facebook, Amazon, The Linux Foundation, Bloomberg, HP, Huawei and Salesforce). Funds to hire permanently two additional developers have been already delivered and many more should be arriving soon.According to some online articles CII should be funding soon OpenSSH (by OpenBSD Foundation) and NTP. See for example http://threatpost.com/openssl-receives-funding-for-developers-will-undergo-security-audit/106349

 

Kind regards

Share this post


Link to post

 

Dr. Steven Henson is the only "permanent employee" in the OpenSSL Software Foundation.

 

But the bugged code has been suggested by a german developer who works for Deutsche Telekom today. He was part of a research project at FH Münster back then. Dr. Henson hasn't seen the bug; if there were more developers it might have been seen and fixed before patching.

Sadly true... Anyway, OpenSSL should be getting soon enough money from the CII (currently made of Google, Microsoft, IBM, Facebook, Amazon, The Linux Foundation, Bloomberg, HP, Huawei and Salesforce). Funds to hire permanently two additional developers have been already delivered and many more should be arriving soon.According to some online articles CII should be funding soon OpenSSH (by OpenBSD Foundation) and NTP. See for example http://threatpost.com/openssl-receives-funding-for-developers-will-undergo-security-audit/106349

 

Kind regards

 

Am I right in thinking that you don't plan to fund OpenSSL now because of the CII?


NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...