Story 2014-04-15 3HX OpenSSL bug sparks new development

OpenSSL bug sparks new development

by
in code on (#3HX)
The Heartbleed bug has sparked new interest in cleaning up the OpenSSL code base. As evidenced by OpenBSD's CVS repository, the team has started removing old platform specific code, style inconsistencies, non-free hardware crypto engines, and dubious wrappers from the library. Perhaps the best side effect of the Heartbleed bug will be a much cleaner and more secure OpenSSL package.

Ed. note: So, is a catastrophic and highly public failure what it takes to catalyze action in some projects? And if so, which other projects are in need of some energizing disaster?

Update: The mentioned cleanup is taking place in the OpenBSD CVS repository. The official OpenSSL repository information can be found at http://www.openssl.org/source/repos.html
Reply 9 comments

Just be thankful (Score: 5, Insightful)

by vanderhoth@pipedot.org on 2014-04-15 11:17 (#12M)

Ultimately I see this as a good thing, I think the editor note is hinting in the right direction. Yes a catastrophic bug was found in an open source project, that's bad, but had this not been open source how long would this bug have persisted. The only reason it was found was because someone was doing a third party audit on the code, which couldn't have been done had it not been open.

I'm not above believing the OSS community has gotten a little lazy, hopefully devs in other projects will be more diligent and proactive. I think we'll all be better off because of this discovery.

How about.. (Score: 3, Funny)

by nightsky30@pipedot.org on 2014-04-15 12:31 (#12P)

Java or anything Oracle?

Re: How about.. (Score: 4, Interesting)

by zafiro17@pipedot.org on 2014-04-15 13:55 (#12S)

I think lots of open source projects could stand to be fuzz-tested just to see if they have any soft spots. Just because people can get access to the source code doesn't mean they do. Some bits of software are higher vulnerability than others. It's the equivalent of peer review in the scientific world.

I've seen my 3 year old crash my Linux distro by banging on the keyboard - I have no idea how he does it. Maybe hire mylittle dude to fuzz-test your software by inputting crazy strings into your text fields to see what it takes to crash it.

[resisting the urge to compare average users to a 3 year old.]

Re: How about.. (Score: 0)

by Anonymous Coward on 2014-04-16 18:33 (#13J)

Debian? *ducks*

Most of these problems already have partial solutions (Score: 4, Informative)

by fatphil@pipedot.org on 2014-04-15 14:08 (#12V)

Whilst it doesn't apply to heartbleed, large number of problems can be detected with static analysis.

OK, Coverity doesn't (yet) spot heartbleed, but it soon will:
: http://security.coverity.com/blog/2014/Apr/on-detecting-heartbleed-with-static-analysis.html

OpenSSL have a history of deliberately ignoring the results of such scans:
: http://openssl.6102.n7.nabble.com/Coverity-coverage-of-OpenSSL-td42651.html

I agree that the false positives are annoying, but you can mark them as false positives, and you won't be warned about them again.

You're not linking to the original OpenSSL repo (Score: 4, Informative)

by codersean@pipedot.org on 2014-04-16 06:04 (#133)

The links in the article are to OpenBSD's version of OpenSSL, OpenSSL proper is NOT an OpenBSD project (can be found here: http://www.openssl.org/source/repos.html). The naming is unfortunate. Just to straighten this out, OpenSSH is by OpenBSD.

Now if I was going to pick one group that I would trust to do a proper OpenSSL it would be the OpenBSD group, hoping they do a full on fork and provide a cross-platform version like OpenSSH.

Re: You're not linking to the original OpenSSL repo (Score: 2, Interesting)

by nightsky30@pipedot.org on 2014-04-16 12:25 (#138)

Not sure where I saw it yesterday, but someone else made a similar statement in that the changes they are making over at openBSD might never end up merged back into openSSL proper. If they do merge the changes into openSSL proper, excellent. If they don't merge the changes from openBSD, then I don't really mind a fork in the name of security. If that were the case, hopefully other *nix OSs would switch.

If only they were using git as upstream (Score: 2, Insightful)

by luzero@pipedot.org on 2014-04-16 10:21 (#136)

Contributing would had been much easier.

LibreSSL (Score: 1)

by bryan@pipedot.org on 2014-04-24 20:07 (#15Q)

The OpenBSD project's fork of OpenSSL is now called: LibreSSL