OpenSSL

[OpenSourcerer 1441]

Doesn't you find it odd that OpenSSL experiences a fatal bug and a project called LibreSSL begs for money just a few days after the publication of the bug?

I do.

 

I never trusted LibreSSL and probably never will. I feel it wrong to provide them with money just because they say they aim to become a better product than OpenSSL ever was. OpenSSL is a standard.

Now many donors felt the need to donate to the new project instead of helping the old. I find it highly wrong.

 

I request one-time or even recurring donations to OpenSSL to fund new developers who help them code.

Because one developer is not enough to implement new features while improving security and maintaining stability of the project.

[PirateParty 49]

I support this, OpenSSL really is a great project. How many people do they currently have on the team?

[OpenSourcerer 1441]

Dr. Steven Henson is the only "permanent employee" in the OpenSSL Software Foundation.

 

But the bugged code has been suggested by a german developer who works for Deutsche Telekom today. He was part of a research project at FH Münster back then. Dr. Henson hasn't seen the bug; if there were more developers it might have been seen and fixed before patching.

 

By the way, Steve Marquess published a post in his blog about OpenSSL one or two weeks after the bug has been published. He is the only one in charge of financial things about the project and personally wrote that it lacks money to "employ" full-time developers.

 

Official statement by the suggesting developer:
 

„Ich habe im Rahmen eines Forschungsprojektes an der FH Münster die bekannte Verschlüsselungsbibliothek OpenSSL genutzt und die während meiner Arbeit entstandenen Bugfixes und neuen Features dem OpenSSL Projekt zur Verfügung gestellt. Nach Prüfung durch ein Mitglied des OpenSSL Entwicklungsteams wurden die jeweiligen Änderungen in den offiziellen Code übernommen. Bei einer Erweiterung, der TLS/DTLS Heartbeat Extension, unterlief mir der Fehler, eine Variable mit einer Längenangabe nicht auf einen sinnvollen Wert zu überprüfen. Dies ermöglichte den jetzt gefundenen und nach der Erweiterung benannten Heartbleed Bug. Leider hat auch der OpenSSL Entwickler, der den Review des Codes durchgeführt hat, die fehlende Überprüfung nicht bemerkt. Dadurch wurde der fehlerhafte Code in die Entwicklungsversion übernommen, aus der später die veröffentlichte Version wurde.

 

Da die Länge nicht auf Plausibilität geprüft wurde, konnte unter Angabe von eigentlich ungültigen Werten mehr Speicher als vorgesehen ausgelesen werden. Dadurch entstand eine Zugriffsmöglichkeit auf sicherheitsrelevante Daten, und ein eigentlich einfacher Fehler hat schwerwiegende Folgen. [...]"

(Translation, may not be 100% accurate)

"In the context of a research project at FH Münster I used the known encryption library OpenSSL and made new features and bugfixes arising from my work aviable for the OpenSSL project. After a member of the OpenSSL developer team reviewed the code it got applied to the official code. In one extension, the TLS/DTLS Heartbeat Extension, I failed to check a variable containing a length value on validity. This opened up the Heartbleed bug, named after the extension's name. Unfortunately the OpenSSL developer reviewing the code also failed to notice the missing check. The bugged code has been applied to the beta code followed by the official release.

 

Because the length hasn't been checked for validity, by entering invalid values it was possible to read more memory which created the opportunity to read security related data. A simple error can lead to dire consequences. [...]"

[athelstan 11]

As of prety soon, that's two full-time devs plus a security audit

 

http://arstechnica.com/information-technology/2014/05/openssl-to-get-a-security-audit-and-two-full-time-developers/

 

But apart from that... yeah.

[OpenSourcerer 1441]

Ah yeah, I read of that, too, I failed to mention it. Thanks for the addition.

[Staff 10014]

Dr. Steven Henson is the only "permanent employee" in the OpenSSL Software Foundation.

 

But the bugged code has been suggested by a german developer who works for Deutsche Telekom today. He was part of a research project at FH Münster back then. Dr. Henson hasn't seen the bug; if there were more developers it might have been seen and fixed before patching.

Sadly true... Anyway, OpenSSL should be getting soon enough money from the CII (currently made of Google, Microsoft, IBM, Facebook, Amazon, The Linux Foundation, Bloomberg, HP, Huawei and Salesforce). Funds to hire permanently two additional developers have been already delivered and many more should be arriving soon.According to some online articles CII should be funding soon OpenSSH (by OpenBSD Foundation) and NTP. See for example http://threatpost.com/openssl-receives-funding-for-developers-will-undergo-security-audit/106349

 

Kind regards

[OpenSourcerer 1441]

 

Dr. Steven Henson is the only "permanent employee" in the OpenSSL Software Foundation.

 

But the bugged code has been suggested by a german developer who works for Deutsche Telekom today. He was part of a research project at FH Münster back then. Dr. Henson hasn't seen the bug; if there were more developers it might have been seen and fixed before patching.

Sadly true... Anyway, OpenSSL should be getting soon enough money from the CII (currently made of Google, Microsoft, IBM, Facebook, Amazon, The Linux Foundation, Bloomberg, HP, Huawei and Salesforce). Funds to hire permanently two additional developers have been already delivered and many more should be arriving soon.According to some online articles CII should be funding soon OpenSSH (by OpenBSD Foundation) and NTP. See for example http://threatpost.com/openssl-receives-funding-for-developers-will-undergo-security-audit/106349

 

Kind regards

 

Am I right in thinking that you don't plan to fund OpenSSL now because of the CII?