bit-tech.net

Go Back   bit-tech.net Forums > bit-tech.net > Article Discussion

Reply
 
Thread Tools
Old 23rd Apr 2014, 10:46   #1
Gareth Halfacree
WIIGII!
bit-tech Staff
 
Gareth Halfacree's Avatar
 
Join Date: Dec 2007
Location: Bradford, UK
Posts: 4,128
Gareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming Saiyan
OpenSSL forked into LibreSSL

OpenBSD loses confidence over Heartbleed.
http://www.bit-tech.net/news/bits/2014/04/23/libressl/1
__________________
Author, Raspberry Pi User Guide Third Edition, 21 Brilliant Projects for the Raspberry Pi and more | gareth.halfacree.co.uk | twitter | keybase.io
bit-tech news correspondent, Custom PC columnist, other things to other people
I'm a filthy freelancer! Hire me!
Gareth Halfacree is online now   Reply With Quote
Old 23rd Apr 2014, 13:15   #2
Flibblebot
Smile with me
 
Flibblebot's Avatar
 
Join Date: Apr 2005
Location: Nowhere interesting
Posts: 3,956
Flibblebot is definitely a rep cheat.Flibblebot is definitely a rep cheat.Flibblebot is definitely a rep cheat.Flibblebot is definitely a rep cheat.Flibblebot is definitely a rep cheat.Flibblebot is definitely a rep cheat.Flibblebot is definitely a rep cheat.Flibblebot is definitely a rep cheat.Flibblebot is definitely a rep cheat.Flibblebot is definitely a rep cheat.Flibblebot is definitely a rep cheat.
I read son Gizmodo this morning that the team has removed 90,000 lines of unused code in the last week - if that's true, then OpenSSL has been appallingly managed for something which so much of the Internet relies on for security.
__________________
My uber-system: 66Mhz 486DX2, 8Mb RAM, 20Mb hard drive, 256 colour VGA adaptor (goes all the way up to 800x600!), keyboard AND serial mouse
Flibblebot is offline   Reply With Quote
Old 23rd Apr 2014, 13:42   #3
faugusztin
I *am* the guy with two left hands
 
Join Date: Aug 2008
Location: Bratislava, Slovakia
Posts: 5,877
faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.
Well that is Gizmodo for you. They removed support for any other platform other than OpenBSD, plus of course they removed some older tech (SSLv2 etc). Sure if you take some library and cut out 90% of the other platform support, you can easily cut out tons of code .
__________________
Desktop Core i7-5820K Asus X99 Deluxe Crucial DDR4-2133 8GB NH-D15 ASUS GTX980 Strix Samsung 840 EVO 1TB Aquarius X90 Superflower Golden King 550W Windows 10
faugusztin is online now   Reply With Quote
Old 23rd Apr 2014, 14:27   #4
r3loaded
Ultramodder
 
r3loaded's Avatar
 
Join Date: Jul 2010
Location: Manchester, UK
Posts: 1,080
r3loaded is definitely a rep cheat.r3loaded is definitely a rep cheat.r3loaded is definitely a rep cheat.r3loaded is definitely a rep cheat.r3loaded is definitely a rep cheat.r3loaded is definitely a rep cheat.r3loaded is definitely a rep cheat.r3loaded is definitely a rep cheat.r3loaded is definitely a rep cheat.r3loaded is definitely a rep cheat.r3loaded is definitely a rep cheat.
Maybe if the billion-dollar companies who rely on such a critical library for free contributed back some cash, code fixes or just some advice, we wouldn't have had this situation in the first place.
__________________
Main: Silverstone FT03 | Asus P8P67-M Pro | i5 2500K @ 4.6Ghz | CM 212+ | 16GB Corsair Vengeance 1600Mhz | XFX Radeon 7970 DD | 500GB Samsung 840 Evo | Samsung XL2270HD | KBT Race | Sidewinder X8
Mac: 13 inch MacBook Pro 2014 | 16GB RAM | Filco Minila Air | Magic Trackpad
Server: Asus M3N78-AM | Athlon II X3 400e | 4GB Corsair XMS2 | 4x 2TB Samsung F4EG (RAID-5) | LSI MegaRAID 8708EM2 | Corsair CX400 | Arch Linux
r3loaded is offline   Reply With Quote
Old 23rd Apr 2014, 14:36   #5
faugusztin
I *am* the guy with two left hands
 
Join Date: Aug 2008
Location: Bratislava, Slovakia
Posts: 5,877
faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.
"Last year, the foundation took in less than $1 million from donations and consulting contracts." While i know the big companies should have given more, cash is clearly not the problem here.
__________________
Desktop Core i7-5820K Asus X99 Deluxe Crucial DDR4-2133 8GB NH-D15 ASUS GTX980 Strix Samsung 840 EVO 1TB Aquarius X90 Superflower Golden King 550W Windows 10
faugusztin is online now   Reply With Quote
Old 23rd Apr 2014, 16:14   #6
Corky42
Mod Master
 
Join Date: Oct 2012
Posts: 2,987
Corky42 is a Super Spamming SaiyanCorky42 is a Super Spamming SaiyanCorky42 is a Super Spamming SaiyanCorky42 is a Super Spamming SaiyanCorky42 is a Super Spamming SaiyanCorky42 is a Super Spamming SaiyanCorky42 is a Super Spamming SaiyanCorky42 is a Super Spamming SaiyanCorky42 is a Super Spamming SaiyanCorky42 is a Super Spamming SaiyanCorky42 is a Super Spamming Saiyan
Quote:
Originally Posted by faugusztin View Post
"Last year, the foundation took in less than $1 million from donations and consulting contracts." While i know the big companies should have given more, cash is clearly not the problem here.
Would you happen to have details on their income ?
I ask because from what i read it seems the president of the OpenSSL Foundation, Steve Marquess claims they take in less than $2000 a year in outright donations and sells commercial software support contracts.
In fact he goes onto say, 'The media have noted that in the five years since it was created OSF has never taken in over $1 million in gross revenues annually.'

He then goes onto say...http://veridicalsystems.com/blog/of-...ity-and-pride/
Quote:
Originally Posted by Steve Marquess
it is nowhere near enough to properly sustain the manpower levels needed to support such a complex and critical software product. While OpenSSL does “belong to the people” it is neither realistic nor appropriate to expect that a few hundred, or even a few thousand, individuals provide all the financial support. The ones who should be contributing real resources are the commercial companies[5] and governments[6] who use OpenSSL extensively and take it for granted
Corky42 is online now   Reply With Quote
Old 23rd Apr 2014, 17:16   #7
faugusztin
I *am* the guy with two left hands
 
Join Date: Aug 2008
Location: Bratislava, Slovakia
Posts: 5,877
faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.
http://online.wsj.com/news/articles/...91350251315132

And no offense, but if you have $1m in revenues from support contracts, don't tell me you don't have the money to spend it on actual developers.
__________________
Desktop Core i7-5820K Asus X99 Deluxe Crucial DDR4-2133 8GB NH-D15 ASUS GTX980 Strix Samsung 840 EVO 1TB Aquarius X90 Superflower Golden King 550W Windows 10

Last edited by faugusztin; 23rd Apr 2014 at 17:22.
faugusztin is online now   Reply With Quote
Old 23rd Apr 2014, 17:16   #8
Phil Rhodes
Hypernobber
 
Join Date: Jul 2006
Posts: 1,228
Phil Rhodes is a hoopy frood who really knows where their towel is.Phil Rhodes is a hoopy frood who really knows where their towel is.Phil Rhodes is a hoopy frood who really knows where their towel is.Phil Rhodes is a hoopy frood who really knows where their towel is.Phil Rhodes is a hoopy frood who really knows where their towel is.Phil Rhodes is a hoopy frood who really knows where their towel is.Phil Rhodes is a hoopy frood who really knows where their towel is.Phil Rhodes is a hoopy frood who really knows where their towel is.Phil Rhodes is a hoopy frood who really knows where their towel is.Phil Rhodes is a hoopy frood who really knows where their towel is.Phil Rhodes is a hoopy frood who really knows where their towel is.
I hate to pander to popular prejudice here, but what this does do is poke some very big holes in the utopian dream of open source software.

Whatever the reasons for underfunding and poor engineering, crap management is absolutely endemic in open source software. Mob rule and anarchy doesn't work very well, as this incident shows.

I've been banging on for years that bad management, or more to the point just no real management at all, the single biggest problem facing open source software, for dozens of reasons, and nobody gets it.

P
Phil Rhodes is offline   Reply With Quote
Old 23rd Apr 2014, 17:27   #9
faugusztin
I *am* the guy with two left hands
 
Join Date: Aug 2008
Location: Bratislava, Slovakia
Posts: 5,877
faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.
Actually, the biggest problem with OpenSSL is that they are pretty much suffering from "NIH syndrome".

Or read what Theo de Raadt from OpenBSD has to say about the Heartbleed :
http://article.gmane.org/gmane.os.openbsd.misc/211963
__________________
Desktop Core i7-5820K Asus X99 Deluxe Crucial DDR4-2133 8GB NH-D15 ASUS GTX980 Strix Samsung 840 EVO 1TB Aquarius X90 Superflower Golden King 550W Windows 10
faugusztin is online now   Reply With Quote
Old 23rd Apr 2014, 17:32   #10
Corky42
Mod Master
 
Join Date: Oct 2012
Posts: 2,987
Corky42 is a Super Spamming SaiyanCorky42 is a Super Spamming SaiyanCorky42 is a Super Spamming SaiyanCorky42 is a Super Spamming SaiyanCorky42 is a Super Spamming SaiyanCorky42 is a Super Spamming SaiyanCorky42 is a Super Spamming SaiyanCorky42 is a Super Spamming SaiyanCorky42 is a Super Spamming SaiyanCorky42 is a Super Spamming SaiyanCorky42 is a Super Spamming Saiyan
Quote:
Originally Posted by faugusztin View Post
http://online.wsj.com/news/articles/...91350251315132

And no offense, but if you have $1m in revenues from support contracts, don't tell me you don't have the money to spend it on actual developers.
Hmm, who to believe.
Matthew Green, an encryption expert at Johns Hopkins University, or Steve Marquess the president of the OpenSSL Foundation.
Corky42 is online now   Reply With Quote
Old 23rd Apr 2014, 17:48   #11
RTT
#parp
 
RTT's Avatar
 
Join Date: Mar 2001
Location: London
Posts: 14,025
RTT is the Cheesecake. Relix smiles down upon them.RTT is the Cheesecake. Relix smiles down upon them.RTT is the Cheesecake. Relix smiles down upon them.RTT is the Cheesecake. Relix smiles down upon them.RTT is the Cheesecake. Relix smiles down upon them.RTT is the Cheesecake. Relix smiles down upon them.RTT is the Cheesecake. Relix smiles down upon them.RTT is the Cheesecake. Relix smiles down upon them.RTT is the Cheesecake. Relix smiles down upon them.RTT is the Cheesecake. Relix smiles down upon them.RTT is the Cheesecake. Relix smiles down upon them.
Quote:
Originally Posted by Flibblebot View Post
I read son Gizmodo this morning that the team has removed 90,000 lines of unused code in the last week - if that's true, then OpenSSL has been appallingly managed for something which so much of the Internet relies on for security.
90k lines of code is nothing in such a project, I wouldn't read too much into that. For example, Google dropped 9M lines of code out of Chrome/Webkit once they forked it to Blink by dropping code for archs that Webkit supported but which Chrome didn't need to - so they could just be removing code for other architectures, seeing as openssl is compileable on almost anything.

edit: that's exactly what it was
__________________
This post is non-negotiable. All terms and conditions apply.
Free UK Motorcycle classifieds - Buy a Motorbike
RTT is offline   Reply With Quote
Old 23rd Apr 2014, 21:47   #12
Guinevere
Mega Mom
 
Guinevere's Avatar
 
Join Date: May 2010
Posts: 2,071
Guinevere is a Super Spamming SaiyanGuinevere is a Super Spamming SaiyanGuinevere is a Super Spamming SaiyanGuinevere is a Super Spamming SaiyanGuinevere is a Super Spamming SaiyanGuinevere is a Super Spamming SaiyanGuinevere is a Super Spamming SaiyanGuinevere is a Super Spamming SaiyanGuinevere is a Super Spamming SaiyanGuinevere is a Super Spamming SaiyanGuinevere is a Super Spamming Saiyan
90k less lines is still 90k less lines. If those 90k lines of code were truly not needed by ANY platform that they claim to support they should have been removed.

Leaving in legacy code because 'well you know - busy' doesn't cut it when you're charging commercial clients for the code or to support the code.

But...

This wouldn't have solved heart bleed, and I feel very uneasy about another fork. I don't trust their reasoning to split against working on the same codebase and their website is simply a joke.

They are trying to instil more trust in SSL code and failing at it so far. IMHO.
Guinevere is offline   Reply With Quote
Old 23rd Apr 2014, 22:28   #13
faugusztin
I *am* the guy with two left hands
 
Join Date: Aug 2008
Location: Bratislava, Slovakia
Posts: 5,877
faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.
It is not 90k lines not needed for OpenSSL in general. Most of it is not needed for LibreSSL running ONLY on OpenBSD. OpenSSL runs on Linux. LibreSSL doesn't. OpenSSL runs on Windows. LibreSSL doesn't. Removing 90k lines to strip the code base of Linux or Windows compatibility is not a source code optimization, nor has anything with security whatsoever.
__________________
Desktop Core i7-5820K Asus X99 Deluxe Crucial DDR4-2133 8GB NH-D15 ASUS GTX980 Strix Samsung 840 EVO 1TB Aquarius X90 Superflower Golden King 550W Windows 10
faugusztin is online now   Reply With Quote
Old 24th Apr 2014, 09:04   #14
Corky42
Mod Master
 
Join Date: Oct 2012
Posts: 2,987
Corky42 is a Super Spamming SaiyanCorky42 is a Super Spamming SaiyanCorky42 is a Super Spamming SaiyanCorky42 is a Super Spamming SaiyanCorky42 is a Super Spamming SaiyanCorky42 is a Super Spamming SaiyanCorky42 is a Super Spamming SaiyanCorky42 is a Super Spamming SaiyanCorky42 is a Super Spamming SaiyanCorky42 is a Super Spamming SaiyanCorky42 is a Super Spamming Saiyan
Quote:
Originally Posted by Guinevere View Post
Leaving in legacy code because 'well you know - busy' doesn't cut it when you're charging commercial clients for the code or to support the code.
Charging for open source code, since when did that happen ?
Charging to support the code, i think that maybe a grey area.

Yes they offer Support Contract's but the money from those all goes to the people directly providing the technical support services and to current active OpenSSL team members.

IMO The OpenSSL Software Foundation has been severely underfunded. Whether that is down to bad management when it came to acquiring funding, or the lack of support from the larger community is difficult to know. Although looking on the OpenSSL web site at who has helped fund the project shows a very small list of just four companies, i personally would have expected that list to be filled with some notable names.
Corky42 is online now   Reply With Quote
Old 24th Apr 2014, 12:48   #15
jb0
Minimodder
 
Join Date: Apr 2012
Posts: 45
jb0 has yet to learn the way of the Dremel
*talk about removing lines by removing platform support*

Let's not forget that one of the supported platforms OpenBSD removed was big-endian x86.

Note: the x86 family is little-endian.
Note: it's not actually POSSIBLE to make a processor that is both big-endian and x86-compatible.

It takes a certain kind of special to implement support for an imaginary mirror-universe version of one of the most ubiquitous processor architectures in the world and insist there's actually a reason for this to exist.
Whatever their programmers were smoking, I want some of it.
jb0 is offline   Reply With Quote
Old 24th Apr 2014, 14:18   #16
faugusztin
I *am* the guy with two left hands
 
Join Date: Aug 2008
Location: Bratislava, Slovakia
Posts: 5,877
faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.
Quote:
Originally Posted by jb0 View Post
Let's not forget that one of the supported platforms OpenBSD removed was big-endian x86.
They removed everything but OpenBSD.
__________________
Desktop Core i7-5820K Asus X99 Deluxe Crucial DDR4-2133 8GB NH-D15 ASUS GTX980 Strix Samsung 840 EVO 1TB Aquarius X90 Superflower Golden King 550W Windows 10
faugusztin is online now   Reply With Quote
Old 24th Apr 2014, 14:28   #17
Flibblebot
Smile with me
 
Flibblebot's Avatar
 
Join Date: Apr 2005
Location: Nowhere interesting
Posts: 3,956
Flibblebot is definitely a rep cheat.Flibblebot is definitely a rep cheat.Flibblebot is definitely a rep cheat.Flibblebot is definitely a rep cheat.Flibblebot is definitely a rep cheat.Flibblebot is definitely a rep cheat.Flibblebot is definitely a rep cheat.Flibblebot is definitely a rep cheat.Flibblebot is definitely a rep cheat.Flibblebot is definitely a rep cheat.Flibblebot is definitely a rep cheat.
What's the issue with only supporting OpenBSD at the moment? On their website, they state:
Quote:
Originally Posted by libressl.org
Multi OS support will happen once we have:
  • Flensed, refactored, rewritten, and fixed enough of the code so we have stable baseline that we trust and can be maintained/improved.
  • The right Portability team in place.
  • A Stable Commitment of Funding to support an increased development and porting effort.
Surely it's better to strip back to one system, make sure that's as stable and bug-free as possible, then extend to other systems? LibreSSL is, after all, part of the OpenBSD project, so it makes sense that they would support that first.

Unless, of course, you're worried about further forks by other teams to support their own preferred OS, leading to a whole different mish-mash of OpenSSL interpretations?
__________________
My uber-system: 66Mhz 486DX2, 8Mb RAM, 20Mb hard drive, 256 colour VGA adaptor (goes all the way up to 800x600!), keyboard AND serial mouse
Flibblebot is offline   Reply With Quote
Old 25th Apr 2014, 20:58   #18
Thawn
Minimodder
 
Join Date: Nov 2013
Location: London
Posts: 26
Thawn is definitely a rep cheat.Thawn is definitely a rep cheat.Thawn is definitely a rep cheat.Thawn is definitely a rep cheat.Thawn is definitely a rep cheat.Thawn is definitely a rep cheat.Thawn is definitely a rep cheat.Thawn is definitely a rep cheat.Thawn is definitely a rep cheat.Thawn is definitely a rep cheat.Thawn is definitely a rep cheat.
What surprises me is that giant companies like Google and Facebook that apparently use OpenSSL to secure their services weren't doing their own audits. If you are that big and well resourced, and are relying for critical security functionality on an external project, shouldn't you be putting some effort into ascertaining that the external project is actually providing you with security?

Ideally the big guns would collaborate on this, or perhaps put the resources into ensuring the OpenSSL foundation was up to the job, but in lieu of either of those things surely they should at least be doing some rigorous internal testing and code audits?
Thawn is offline   Reply With Quote
Old 26th Apr 2014, 20:01   #19
dinoscothern
Modder
 
Join Date: Aug 2010
Location: Bath (mostly), Plymouth (sometimes), UK
Posts: 60
dinoscothern has yet to learn the way of the Dremel
A distribution contains a lot of packages. Thats a lot of lines of code. One of the perceived 'benefits' of open source is that an organisation/individual can take advantage of that prior work (they don't have to reinvent the wheel) and reduce their costs. As more machines use that software the consequence of mistakes/poor design decisions in building that sw has a greater effect. The fact that this problem was discovered (even after two years is better than none) shows that companies are (gradually) realising that they have responsibilities to contibute/maintain that body of code (or pay someone else to do so).
dinoscothern is offline   Reply With Quote
Reply

Tags
heartbleed, insecurity, libressl, open source, openbsd, openssl, security, ssl, tls, vulnerability

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +1. The time now is 10:31.
Powered by: vBulletin Version 3
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.