Forgot your password?
typodupeerror
This discussion has been archived. No new comments can be posted.

Major OpenSSL Security Issue Found (and Fixed)

Comments Filter:
  • by slim (1652) <john@hartn u p .net> on Thursday April 19, 2012 @10:40AM (#39733811) Homepage

    Have you ever looked at the OpenSSL code? It could have the Ark of the Covenant hidden in all that mess somewhere for all we know and we'd never find it.

    Yeah. OpenSSL has a problem -- it's good enough.

    It's poorly documented. It triggers all kinds of compiler warnings if you turn them on. Valgrind throws up all kinds of complaints. The code is really hard to grok.

    As a user of the API, there are all kinds of gotchas. Best practice isn't reflected in the defaults; you have to pick up the best flags to pass in by examining how other people have done it, or asking around.

    But, it's good enough that so far nobody's thought it's worth the effort to write a new SSL library from scratch.
    It's good enough that so far nobody's thought it's worth the effort to really firm up the free documentation (so, buy the O'Reilly book instead).

    After all, you go through a bunch of pain understanding enough of OpenSSL to put it in your app -- but you only go through that pain once, and after that, it works.

  • by Coward Anonymous (110649) on Thursday April 19, 2012 @10:41AM (#39733819)

    "because this is (yet another) bug in the ASN.1 parser"

    This is because ASN.1 is an insanely complex, wasteful and redundant standard that should have never been adopted for security related standards where simplicity is an important contributor to writing secure code.

    ASN.1 has been the bane of all the standards that ever adopted it (SNMP anyone?) and should have been shot years ago.

  • by bill_mcgonigle (4333) * on Thursday April 19, 2012 @12:48PM (#39735331) Homepage Journal

    There have to be hundreds of serious security bugs lurking in there... the only thing saving us is that it's so nasty that the black hats who put in the effort to find the bugs for their governments or corporate espionage clients get paid damn well for their work and wouldn't dream of disclosing their findings.

    TFTFY

"Whoever undertakes to set himself up as a judge of Truth and Knowledge is shipwrecked by the laughter of the gods." -- Albert Einstein

Working...