bit-tech.net

Go Back   bit-tech.net Forums > bit-tech.net > Article Discussion

Reply
 
Thread Tools
Old 23rd Jun 2014, 10:01   #1
Gareth Halfacree
WIIGII!
bit-tech Staff
 
Gareth Halfacree's Avatar
 
Join Date: Dec 2007
Location: Bradford, UK
Posts: 3,675
Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.
Google forks OpenSSL into BoringSSL

Hopes for no nasty surprises.
http://www.bit-tech.net/news/bits/20...le-boringssl/1
__________________
Author, Raspberry Pi User Guide, Meet the Raspberry Pi | gareth.halfacree.co.uk | twitter
bit-tech news correspondent, Custom PC columnist, other things to other people
I'm a filthy freelancer! Hire me!
Gareth Halfacree is online now   Reply With Quote
Old 23rd Jun 2014, 18:16   #2
Beasteh
Multimodder
 
Join Date: Feb 2012
Location: Coventry
Posts: 242
Beasteh is definitely a rep cheat.Beasteh is definitely a rep cheat.Beasteh is definitely a rep cheat.Beasteh is definitely a rep cheat.Beasteh is definitely a rep cheat.Beasteh is definitely a rep cheat.Beasteh is definitely a rep cheat.Beasteh is definitely a rep cheat.Beasteh is definitely a rep cheat.Beasteh is definitely a rep cheat.Beasteh is definitely a rep cheat.
Mr Langley? As in home of the CIA? That's no coincidence!

Seriously though, OpenSSL suffers because it's an open source project with a paltry budget. It isn't funded by the beneficiaries of the code - huge web companies that should really be giving something back to the service they rely on. It's a real embarrassment that the likes of Yahoo couldn't spare a few dollars to help fund security audits of the OpenSSL code.

It's good to see at least one firm taking responsibility.
Beasteh is offline   Reply With Quote
Old 23rd Jun 2014, 22:19   #3
proxess
Hypermodder
 
Join Date: Nov 2006
Location: Zeist, Netherlands
Posts: 975
proxess should be considered for presidentproxess should be considered for presidentproxess should be considered for presidentproxess should be considered for presidentproxess should be considered for presidentproxess should be considered for presidentproxess should be considered for presidentproxess should be considered for presidentproxess should be considered for presidentproxess should be considered for presidentproxess should be considered for president
I wouldn't consider completely forking the code taking responsibility. It just means they're just another company that didn't finance OpenSSL or audits of it's code either. Nor have other giants (and smaller companies) that are dependent on this technology. Actually, as stated in the post, most of them were barely aware of OpenSSL until heartbleed (or Apple's gotos). It just means they'd rather dish out on their own variant.
__________________
Laptop: i7 4800MQ 2.7GHz (~3.7GHz); 2x 4GB Kingston HyperX Genesis 1600MHz; Nvidia 780M 4GB; Crucial M4 256GB SSD; Ubuntu 14.04 x64 and Windows 8.1 x64.
Ubuntu #8076 / Linux #429448
proxess is offline   Reply With Quote
Old 24th Jun 2014, 08:26   #4
Gareth Halfacree
WIIGII!
bit-tech Staff
 
Gareth Halfacree's Avatar
 
Join Date: Dec 2007
Location: Bradford, UK
Posts: 3,675
Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.Gareth Halfacree is definitely a rep cheat.
Quote:
Originally Posted by Beasteh View Post
It's a real embarrassment that the likes of Yahoo couldn't spare a few dollars to help fund security audits of the OpenSSL code.
Actually, the Linux Foundation recently launched the Core Infrastructure Initiative which sees major-name companies putting money in a pot for the Foundation to dish out to important open-source projects - starting with OpenSSL, the Network Time Protocol and OpenSSH. You'd definitely recognise some of the names: Amazon, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Rackspace, VMware, Adobe, Bloomberg, HP, Huawei, salesforce.com... No Yahoo as far as I'm aware, though.
Quote:
Originally Posted by proxess View Post
I wouldn't consider completely forking the code taking responsibility. It just means they're just another company that didn't finance OpenSSL or audits of it's code either. Nor have other giants (and smaller companies) that are dependent on this technology.
See above: Google is one of the companies putting real cash money into the Core Infrastructure Initiative specifically to boost OpenSSL's security and code quality. It's also promised to continue to do so even as it works on its own BoringSSL fork.
Quote:
Originally Posted by proxess View Post
Actually, as stated in the post, most of them were barely aware of OpenSSL until heartbleed (or Apple's gotos). It just means they'd rather dish out on their own variant.
I would be very surprised if Google et al were "barely aware of OpenSSL;" the article is referring to end-users, none of whom had any reason to know the name of the library that provides cryptographic services to their operating system or application until headlines like "OPENSSL HEARTBLEED VULN WILL STEAL YOUR CHILDREN" hit the mainstream rags. Certainly, very few companies "dish out on their own variant;" building a secure cryptographic library is really hard. Look at OpenSSL: industry experts, open source, massive deployment, been running for years, and we're still finding gaping gert holes in the damn thing.
__________________
Author, Raspberry Pi User Guide, Meet the Raspberry Pi | gareth.halfacree.co.uk | twitter
bit-tech news correspondent, Custom PC columnist, other things to other people
I'm a filthy freelancer! Hire me!
Gareth Halfacree is online now   Reply With Quote
Old 24th Jun 2014, 08:51   #5
faugusztin
I *am* the guy with two left hands
 
Join Date: Aug 2008
Location: Bratislava, Slovakia
Posts: 5,785
faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.faugusztin is the Cheesecake. Relix smiles down upon them.
Quote:
Originally Posted by proxess View Post
I wouldn't consider completely forking the code taking responsibility. It just means they're just another company that didn't finance OpenSSL or audits of it's code either.
Have you actually read the article ? BoringSSL was pretty much OpenSSL + Google patches, which has been rejected by OpenSSL. BoringSSL is now swithing to being a fork which includes Google patches, plus new commits from OpenSSL and LibreSSL unless there is a conflict.

It is pretty much a process change only at Google, for SSL library used in Google products.

Before :
  • Check out OpenSSL source code
  • Apply Google patches

Now :
  • Check out BoringSSL source code
  • Apply new OpenSSL or LibreOffice commits (patches)
__________________
Cerberus Core i7-2600K Asus P8Z77-I Deluxe GSkill RipjawsX 2x8GB DDR3-1600CL9 watercooled EVGA GTX670 Samsung 840 Pro 512GB+840 EVO 1TB Bitfenix Prodigy Seasonic X-460 Windows 8.1 Pro
Prometheus i5-4460 ASRock Z97 Extreme6 4x8GB DDR3-1333 NH-D15 Samsung XP941 256GB+6xWD30EFRX+2xWD20EARS+6xWD20EARX+WD40EFRX Seasonic X-460
faugusztin is offline   Reply With Quote
Old 24th Jun 2014, 19:09   #6
Beasteh
Multimodder
 
Join Date: Feb 2012
Location: Coventry
Posts: 242
Beasteh is definitely a rep cheat.Beasteh is definitely a rep cheat.Beasteh is definitely a rep cheat.Beasteh is definitely a rep cheat.Beasteh is definitely a rep cheat.Beasteh is definitely a rep cheat.Beasteh is definitely a rep cheat.Beasteh is definitely a rep cheat.Beasteh is definitely a rep cheat.Beasteh is definitely a rep cheat.Beasteh is definitely a rep cheat.
Quote:
Originally Posted by Gareth Halfacree View Post
Actually, the Linux Foundation recently launched the Core Infrastructure Initiative which sees major-name companies putting money in a pot for the Foundation to dish out to important open-source projects
The active phrase there being "recently" - as per my original post, it's about time these companies supported the services they rely on.

I don't doubt that donations of code and cash have taken place in the past, but it's better to see a consistent, concerted effort with proper funding (like an in-house product might get). Of course, it could all go horribly wrong if each firm tries to pull in separate directions...
Beasteh is offline   Reply With Quote
Reply

Tags
adam langley, android, boringssl, chrome, chromeos, chromium, google, heartbleed, insecurity, libressl, openssl, privacy, security, vulnerability

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +1. The time now is 11:00.
Powered by: vBulletin Version 3
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.