Jump to content


Photo
* * * * * 1 votes

OpenSSL


  • Please log in to reply
6 replies to this topic

#1 giganerd

giganerd

    I shall have no title

  • Members2
  • PipPipPip
  • 2627 posts
  • LocationGermany

Posted 02 June 2014 - 07:02 PM

Doesn't you find it odd that OpenSSL experiences a fatal bug and a project called LibreSSL begs for money just a few days after the publication of the bug?

I do.

 

I never trusted LibreSSL and probably never will. I feel it wrong to provide them with money just because they say they aim to become a better product than OpenSSL ever was. OpenSSL is a standard.

Now many donors felt the need to donate to the new project instead of helping the old. I find it highly wrong.

 

I request one-time or even recurring donations to OpenSSL to fund new developers who help them code.

Because one developer is not enough to implement new features while improving security and maintaining stability of the project.


Always remember:
There's a guide to AirVPN,

Amazon IPs are not dangerous here,
running TOR exits is discouraged,

using spoilers for your logs helps us read your thread.

~ Furthermore, I propose that your paranoia is to be destroyed. ~

Instead of writing me a personal mail, consider contacting me via XMPP at gigan3rd@xmpp.airvpn.org or join the lounge@conference.xmpp.airvpn.org. I might read the mail too late whereas I'm always available on XMPP ;)


#2 PirateParty

PirateParty

    Advanced Member

  • Members
  • PipPipPip
  • 64 posts

Posted 02 June 2014 - 09:25 PM

I support this, OpenSSL really is a great project. How many people do they currently have on the team?


https://cryptoforums.net/ Computing, Crypto, Security & Privacy Forum


#3 giganerd

giganerd

    I shall have no title

  • Members2
  • PipPipPip
  • 2627 posts
  • LocationGermany

Posted 02 June 2014 - 10:12 PM

Dr. Steven Henson is the only "permanent employee" in the OpenSSL Software Foundation.

 

But the bugged code has been suggested by a german developer who works for Deutsche Telekom today. He was part of a research project at FH Münster back then. Dr. Henson hasn't seen the bug; if there were more developers it might have been seen and fixed before patching.

 

By the way, Steve Marquess published a post in his blog about OpenSSL one or two weeks after the bug has been published. He is the only one in charge of financial things about the project and personally wrote that it lacks money to "employ" full-time developers.

 

Official statement by the suggesting developer:
 

„Ich habe im Rahmen eines Forschungsprojektes an der FH Münster die bekannte Verschlüsselungsbibliothek OpenSSL genutzt und die während meiner Arbeit entstandenen Bugfixes und neuen Features dem OpenSSL Projekt zur Verfügung gestellt. Nach Prüfung durch ein Mitglied des OpenSSL Entwicklungsteams wurden die jeweiligen Änderungen in den offiziellen Code übernommen. Bei einer Erweiterung, der TLS/DTLS Heartbeat Extension, unterlief mir der Fehler, eine Variable mit einer Längenangabe nicht auf einen sinnvollen Wert zu überprüfen. Dies ermöglichte den jetzt gefundenen und nach der Erweiterung benannten Heartbleed Bug. Leider hat auch der OpenSSL Entwickler, der den Review des Codes durchgeführt hat, die fehlende Überprüfung nicht bemerkt. Dadurch wurde der fehlerhafte Code in die Entwicklungsversion übernommen, aus der später die veröffentlichte Version wurde.

 

Da die Länge nicht auf Plausibilität geprüft wurde, konnte unter Angabe von eigentlich ungültigen Werten mehr Speicher als vorgesehen ausgelesen werden. Dadurch entstand eine Zugriffsmöglichkeit auf sicherheitsrelevante Daten, und ein eigentlich einfacher Fehler hat schwerwiegende Folgen. [...]"

(Translation, may not be 100% accurate)

"In the context of a research project at FH Münster I used the known encryption library OpenSSL and made new features and bugfixes arising from my work aviable for the OpenSSL project. After a member of the OpenSSL developer team reviewed the code it got applied to the official code. In one extension, the TLS/DTLS Heartbeat Extension, I failed to check a variable containing a length value on validity. This opened up the Heartbleed bug, named after the extension's name. Unfortunately the OpenSSL developer reviewing the code also failed to notice the missing check. The bugged code has been applied to the beta code followed by the official release.

 

Because the length hasn't been checked for validity, by entering invalid values it was possible to read more memory which created the opportunity to read security related data. A simple error can lead to dire consequences. [...]"


Always remember:
There's a guide to AirVPN,

Amazon IPs are not dangerous here,
running TOR exits is discouraged,

using spoilers for your logs helps us read your thread.

~ Furthermore, I propose that your paranoia is to be destroyed. ~

Instead of writing me a personal mail, consider contacting me via XMPP at gigan3rd@xmpp.airvpn.org or join the lounge@conference.xmpp.airvpn.org. I might read the mail too late whereas I'm always available on XMPP ;)


#4 athelstan

athelstan

    Member

  • Members
  • PipPip
  • 26 posts

Posted 02 June 2014 - 10:34 PM

As of prety soon, that's two full-time devs plus a security audit

 

http://arstechnica.com/information-technology/2014/05/openssl-to-get-a-security-audit-and-two-full-time-developers/

 

But apart from that... yeah.



#5 giganerd

giganerd

    I shall have no title

  • Members2
  • PipPipPip
  • 2627 posts
  • LocationGermany

Posted 02 June 2014 - 10:48 PM

Ah yeah, I read of that, too, I failed to mention it. Thanks for the addition.


Always remember:
There's a guide to AirVPN,

Amazon IPs are not dangerous here,
running TOR exits is discouraged,

using spoilers for your logs helps us read your thread.

~ Furthermore, I propose that your paranoia is to be destroyed. ~

Instead of writing me a personal mail, consider contacting me via XMPP at gigan3rd@xmpp.airvpn.org or join the lounge@conference.xmpp.airvpn.org. I might read the mail too late whereas I'm always available on XMPP ;)


#6 Staff

Staff

    Advanced Member

  • Staff
  • PipPipPip
  • 7692 posts

Posted 02 June 2014 - 11:15 PM

Dr. Steven Henson is the only "permanent employee" in the OpenSSL Software Foundation.
 
But the bugged code has been suggested by a german developer who works for Deutsche Telekom today. He was part of a research project at FH Münster back then. Dr. Henson hasn't seen the bug; if there were more developers it might have been seen and fixed before patching.

Sadly true... Anyway, OpenSSL should be getting soon enough money from the CII (currently made of Google, Microsoft, IBM, Facebook, Amazon, The Linux Foundation, Bloomberg, HP, Huawei and Salesforce). Funds to hire permanently two additional developers have been already delivered and many more should be arriving soon.According to some online articles CII should be funding soon OpenSSH (by OpenBSD Foundation) and NTP. See for example http://threatpost.com/openssl-receives-funding-for-developers-will-undergo-security-audit/106349

Kind regards



#7 giganerd

giganerd

    I shall have no title

  • Members2
  • PipPipPip
  • 2627 posts
  • LocationGermany

Posted 03 June 2014 - 12:18 PM

Dr. Steven Henson is the only "permanent employee" in the OpenSSL Software Foundation.
 
But the bugged code has been suggested by a german developer who works for Deutsche Telekom today. He was part of a research project at FH Münster back then. Dr. Henson hasn't seen the bug; if there were more developers it might have been seen and fixed before patching.

Sadly true... Anyway, OpenSSL should be getting soon enough money from the CII (currently made of Google, Microsoft, IBM, Facebook, Amazon, The Linux Foundation, Bloomberg, HP, Huawei and Salesforce). Funds to hire permanently two additional developers have been already delivered and many more should be arriving soon.According to some online articles CII should be funding soon OpenSSH (by OpenBSD Foundation) and NTP. See for example http://threatpost.com/openssl-receives-funding-for-developers-will-undergo-security-audit/106349

Kind regards

 

Am I right in thinking that you don't plan to fund OpenSSL now because of the CII? :)


Always remember:
There's a guide to AirVPN,

Amazon IPs are not dangerous here,
running TOR exits is discouraged,

using spoilers for your logs helps us read your thread.

~ Furthermore, I propose that your paranoia is to be destroyed. ~

Instead of writing me a personal mail, consider contacting me via XMPP at gigan3rd@xmpp.airvpn.org or join the lounge@conference.xmpp.airvpn.org. I might read the mail too late whereas I'm always available on XMPP ;)





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Servers online. Online Sessions: 13654 - BW: 48191 Mbit/sYour IP: 3.80.218.53Guest Access.