OpenBSD Journal

It's Official: The OpenSSL Overhaul Is A Fork: Welcome LibreSSL in OpenBSD 5.6

Contributed by weerd on from the must-have-missed-starssl-then dept.

Yes, it's official. The recent work in cleaning up OpenSSL is now officially a fork, with its own website and donation link.

The project's name going forward is LibreSSL, and according to the (so far spartan) website, the first release will be included in OpenBSD 5.6, which is expected to be released November 1st, 2014.

The order of the day (or following weeks and months, more likely) is cleanup first, then, as it says on the website,

For other OS's

 Coming Soon Please Be Patient

Multi OS support will happen once we have

  • Flensed, refactored, rewritten, and fixed enough of the code so we have stable baseline that we trust and can be maintained/improved.
  • The right Portability team in place.
  • A Stable Commitment of Funding to support an increased development and porting effort.
We know you all want this tomorrow. We are working as fast as we can but our primary focus is good software that we trust to run ourselves. We don't want to break your heart.

Also just in: Ars Technica has a story about LibreSSL: OpenSSL code beyond repair, claims creator of “LibreSSL” fork, with a nice sampling of quotables from Theo de Raadt (deraadt@), while Ted Unangst (tedu@) has contributed a origins of libressl blog post and just told misc@ that FIPS mode is not coming back to LibreSSL..

(Comments are closed)


Comments
  1. By Rich (62.232.9.62) on

    Can someone clarity please? I realise the OpenSLL project is autonomous, but I always thought it came under the OpenBSD project anyway; I'm sure Theo's name appears in some of the early credits. Or did it start off that way and then drift off on its own?

    Comments
    1. By Anonymous Coward (188.126.223.162) on

      > Can someone clarity please? I realise the OpenSLL project is autonomous, but I always thought it came under the OpenBSD project anyway; I'm sure Theo's name appears in some of the early credits. Or did it start off that way and then drift off on its own?

      "OpenSSL is based on SSLeay by Eric Andrew Young and Tim Hudson, development of which unofficially ended on December 17, 1998"

      https://en.wikipedia.org/wiki/Openssl#History_of_the_OpenSSL_project

      Comments
      1. By jdv (216.16.224.222) jdv@clevermonkey.org on http://clvrmnky.org/

        > > Can someone clarity please? I realise the OpenSLL project is autonomous, but I always thought it came under the OpenBSD project anyway; I'm sure Theo's name appears in some of the early credits. Or did it start off that way and then drift off on its own?
        >
        > "OpenSSL is based on SSLeay by Eric Andrew Young and Tim Hudson, development of which unofficially ended on December 17, 1998"
        >
        > https://en.wikipedia.org/wiki/Openssl#History_of_the_OpenSSL_project
        >

        I /just/ realized yesterday that "libeay" is based on an acronym for one of the author's names.

        All these years trying to remember how that stupid libname is spelled and pronounced...

        And yes, there is no official link between OpenBSD and OpenSSL. OpenBSD has a relationship with OpenSSL like any other downstream implementer: they used it, trusted it to a point, and contributed patches to upstream.

        Comments
        1. By @jdv (62.232.9.62) on

          Ta muchly for the answer.

      2. By Rich (62.232.9.62) on

        "OpenSSL is based on SSLeay..." - Errr, yep - I know that

        "...wikinonesense.com..../" - Errr, nope - that doesn't answer my question either

        Thank you for not answering my question at all. Are you saying that it's not a reasonable question? I mean, the OSSL web page used to look exactly the OBSD web page, the name is suspiciously similar, and some of the same guys worked on both projects. So it is/isn't (?) part of OBSD?

        And I love the fact that I've been modded down by 5 people no less! For daring to ask a question!! What a heinous crime I have committed. It's lovely to see the OBSD team spirit is alive and well :)

        Comments
        1. By Anonymous Coward (91.9.214.118) on

          > "OpenSSL is based on SSLeay..." - Errr, yep - I know that
          >
          > "...wikinonesense.com..../" - Errr, nope - that doesn't answer my question either
          >
          > Thank you for not answering my question at all. Are you saying that it's not a reasonable question? I mean, the OSSL web page used to look exactly the OBSD web page, the name is suspiciously similar, and some of the same guys worked on both projects. So it is/isn't (?) part of OBSD?
          >
          > And I love the fact that I've been modded down by 5 people no less! For daring to ask a question!! What a heinous crime I have committed. It's lovely to see the OBSD team spirit is alive and well :)

          There's a lot of information on the Internet; perhaps you've heard of it.

          Comments
          1. By Rich (62.232.9.62) on

            Quite right - I should be burned at the stake. Stone the non-believer! Kill the heretic!!!

            Comments
            1. By Anonymous Coward (91.9.214.118) on

              > Quite right - I should be burned at the stake. Stone the non-believer! Kill the heretic!!!

              No, just the person who doesn't take the time to access the information to which he has access before bothering others to spoon-feed it to him. It's not always about you personally, just the shit you're pulling at that moment.

            2. By Chris (50.71.129.10) on

              > Quite right - I should be burned at the stake. Stone the non-believer! Kill the heretic!!!

              Is stoning people that refuse to do basic research really an option? That changes things!


        2. By phessler (phessler) on why in god's name am I wearing pants?

          > "OpenSSL is based on SSLeay..." - Errr, yep - I know that
          >
          > "...wikinonesense.com..../" - Errr, nope - that doesn't answer my question either
          >
          > Thank you for not answering my question at all. Are you saying that it's not a reasonable question? I mean, the OSSL web page used to look exactly the OBSD web page, the name is suspiciously similar, and some of the same guys worked on both projects. So it is/isn't (?) part of OBSD?
          >

          I will simplify:

          OpenSSL is NOT (repeat, NOT) from the OpenBSD project. OpenBSD is not responsible for any code in OpenSSL. Nobody from the OpenBSD project is or was part of the OpenSSL project.

          OpenSSL was incorporated into the OpenBSD codebase, because OpenBSD used their crypto and ssl libraries.

          Now, OpenBSD has forked the OpenSSL tree into LibReSSL, and is fixing it. OpenBSD is only responsible for code in LibReSSL.

          Is this all clear now?

          Comments
    2. By BL (85.24.209.88) on

      > Can someone clarity please? I realise the OpenSLL project is autonomous, but I always thought it came under the OpenBSD project anyway; I'm sure Theo's name appears in some of the early credits. Or did it start off that way and then drift off on its own?

      You are confusing OpenSSL, which has no relation to OpenBSD, with the OpenBSD-driven project OpenSSH. It is the latter website (www.openssh.org) that looks very similar to www.openbsd.org.

  2. By Anonymous Coward (152.77.159.23) on

    With that kind of name, you'd think the library is associated with either the GNU project (yes, there's GnuTls) or even the libreoffice project...

    Why also keep that SSL?

    Comments
    1. By Anonymous Coward (2003:56:2e26:a800:584e:1986:1464:e77f) on

      > With that kind of name, you'd think the library is associated with either the GNU project (yes, there's GnuTls) or even the libreoffice project...
      >
      > Why also keep that SSL?

      lib ReSSL

    2. By Anonymous Coward (188.126.223.162) on

      > With that kind of name, you'd think the library is associated with either the GNU project (yes, there's GnuTls) or even the libreoffice project...

      True, we should also rename OpenBSD so we don't confuse people making them think we have something to do with OpenOffice, or basically anything that begins with Open.

      Comments
      1. By Anonymous Coward (152.77.159.23) on

        > > With that kind of name, you'd think the library is associated with either the GNU project (yes, there's GnuTls) or even the libreoffice project...
        >
        > True, we should also rename OpenBSD so we don't confuse people making them think we have something to do with OpenOffice, or basically anything that begins with Open.

        Ok, the libreoffice was far streched, but you never maybe noticed the continuity in openbsd, openssh, opencvs, openntpd, etc, while RMS professed the world libre as part of modern version of his manifesto. This naming reeks the troll.

        Comments
        1. By jdv (216.16.224.222) jdv@clevermonkey.org on http://clvrmnky.org/


          > Ok, the libreoffice was far streched, but you never maybe noticed the continuity in openbsd, openssh, opencvs, openntpd, etc, while RMS professed the world libre as part of modern version of his manifesto. This naming reeks the troll.
          >
          Are you having a stroke?

          Comments
          1. By Anonymous Coward (37.160.62.123) on

            >
            > > Ok, the libreoffice was far streched, but you never maybe noticed the continuity in openbsd, openssh, opencvs, openntpd, etc, while RMS professed the world libre as part of modern version of his manifesto. This naming reeks the troll.
            > >
            > Are you having a stroke?
            >

            you funny lol

          2. By Anonymous Coward (152.77.159.23) on

            >
            > > Ok, the libreoffice was far streched, but you never maybe noticed the continuity in openbsd, openssh, opencvs, openntpd, etc, while RMS professed the world libre as part of modern version of his manifesto. This naming reeks the troll.
            > >
            > Are you having a stroke?
            >
            From preteen trolls that probably run XP and never write a line of code? Hardly, but I guess this is what I get when trying to speak here.

    3. By Anonymous Coward (130.185.136.244) on

      > With that kind of name, you'd think the library is associated with either the GNU project (yes, there's GnuTls) or even the libreoffice project...
      >
      > Why also keep that SSL?

      OpenTLS was take, so they had to pick something different.
      BSDTLS/BSDSSL doesn't make sense, because most of the code is still under the OpenSSL license.

      So now you left with <SOMETHING>(SSL/TLS). LibreSSL is a just as good as anything else. Also most people won't care about the name anyway.

      Comments
      1. By Anonymous Coward (91.151.125.100) on

        > So now you left with <SOMETHING>(SSL/TLS). LibreSSL is a just as good as anything else. Also most people won't care about the name anyway.
        Open-OpenSSL?

        Comments
        1. By Anonymous Coward (2003:56:2e26:a800:584e:1986:1464:e77f) on

          > > So now you left with <SOMETHING>(SSL/TLS). LibreSSL is a just as good as anything else. Also most people won't care about the name anyway.
          > Open-OpenSSL?
          >

          Any name incorporating "OpenSSL" is specifically disallowed by the OpenSSL copyright.

      2. By Anonymous Coward (2601:6:51c0:f1:597a:37a6:4e71:3f88) on

        > ... Also most people won't care about the name anyway.

        Trolls will.

        Everyone else will pass on the name and focus on the enhanced security of the code.

  3. By Tualha (68.101.72.192) tualha@pobox.com on

    > This page scientifically designed to annoy web hipsters. Donate now to stop the Comic Sans and Blink Tags

    Wow, I'm in awe. Not only did they use Comic Sans and the blink tag, they're actually asking for money to make those misfeatures go away! Way to be taken seriously, folks. Way to serve the community.

    Tell you what. I will happily donate some money after they remove those idiocies. Not before.

    Comments
    1. By stsp (217.197.84.42) on

      Removing idiocies from the SSL code has priority for now.

      Comments
      1. By Tualha (68.101.72.192) tualha@pobox.com on

        Then they shouldn't have taken the time to add them in the first place, eh?

        Comments
        1. By Paul Irofti (bulibuta) on gopher://sdf.lonestar.org/1/users/bulibuta

          > Then they shouldn't have taken the time to add them in the first place, eh?

          You are very confused. Go read-up on the OpenSSL origins.

          Comments
          1. By Tualha (68.101.72.192) tualha@pobox.com on

            Sigh. Not the OpenSSL bugs. They shouldn't have added the website ugliness. All it accomplishes is to make them look unprofessional and immature.

            Comments
            1. By henning (41.141.104.144) on

              > Sigh. Not the OpenSSL bugs. They shouldn't have added the website
              > ugliness. All it accomplishes is to make them look unprofessional and
              > immature.

              looks like we succeeded in annoying at least one web hipster.

              couldn't care less wether that makes us look unprofessional and immature. you forgot the "to me" in that sentence anyway.

              the code counts. period.

            2. By vvim (unisoftdesign) on

              > Sigh. Not the OpenSSL bugs. They shouldn't have added the website ugliness. All it accomplishes is to make them look unprofessional and immature.
              >

              Yeah, because it's so important to make yourself look pro and sucker the internet into using your crap code...

              There's too many fakers who take themselves too seriously, dude. Chill out & hack. Stop wearing a tie and let your beard grow.

              Comments
              1. By jdv (216.16.224.222) jdv@clevermonkey.org on http://clvrmnky.org/

                > > Sigh. Not the OpenSSL bugs. They shouldn't have added the website ugliness. All it accomplishes is to make them look unprofessional and immature.
                > >
                >
                > Yeah, because it's so important to make yourself look pro and sucker the internet into using your crap code...
                >
                > There's too many fakers who take themselves too seriously, dude. Chill out & hack. Stop wearing a tie and let your beard grow.

                Or, grow a big mustache, wax it, and wear a bow-tie.

                Or, side-burns and a cravat.

                Wait, no. A goatee and a stylish scarf.

                Really, just forget to shave for a few days and put on some clothes.


    2. By Anonymous Coward (192.168.15.148) on

      > Wow, I'm in awe. Not only did they use Comic Sans and the blink tag, they're actually asking for money to make those misfeatures go away! Way to be taken seriously, folks. Way to serve the community.


      At least they're going one better than OpenSSL and actually offering to take away the horrible stuff :-)

    3. By jdv (216.16.224.222) jdv@clevermonkey.org on http://clvrmnky.org/

      > This page scientifically designed to annoy web hipsters. Donate now to stop the Comic Sans and Blink Tags
      >
      > Wow, I'm in awe. Not only did they use Comic Sans and the blink tag, they're actually asking for money to make those misfeatures go away! Way to be taken seriously, folks. Way to serve the community.
      >
      > Tell you what. I will happily donate some money after they remove those idiocies. Not before.
      >

      If you see the blink tag, get a better browser. That tag is no longer part of any modern spec, and good browsers ignore it. If Comic Sans annoys you, change the CSS locally.

      If you want better TLS on your platform, consider that "community" works both ways, and quality code isn't cheap.

      Think about the for-profit behemoths that include this code in their products. Google and Apple have paid for stuff like this before. They will do it again, because it is good business.

      "Free" doesn't mean "cheap."

      Right now OpenBSD is simply updating its libssl. You don't have to care how that is happening, if you don't want to. If *you* want a port of this libssl to your platform, then someone is going to have to do that. And a TLS C library is not something that can just be grown by committee. You have to have smart people who know what they are doing. People like this should be paid for that work.

      Or, you know, feel free to use OpenSSL forever. They might actually maintain it at some point again.

      Comments
      1. By Tualha (68.101.72.192) tualha@pobox.com on

        > If you see the blink tag, get a better browser.

        Oh, I'm running the very latest Firefox. And sure enough, it blocks the blink tag -- unless the web designer goes to the trouble to add this:

        blink {
        	animation:blink 1s;
        	animation-iteration-count: infinite;
        	-webkit-animation:blink 1s;
        	-webkit-animation-iteration-count: infinite;
        }
        

        > People like this should be paid for that work.

        Indeed, and as I indicated above, I'll be happy to donate to that cause, as soon as they stop acting like adolescents and their website stops looking like a 1995 Geocities page.

        Comments
        1. By jdv (216.16.224.222) jdv@clevermonkey.org on http://clvrmnky.org/

          > If you see the blink tag, get a better browser.
          >
          > Oh, I'm running the very latest Firefox. And sure enough, it blocks the blink tag -- unless the web designer goes to the trouble to add this:
          >
          Like I said, get a browser that works. I see no blink tags with FF anywhere. I don't care why, but it is a fact that blink can be disabled everywhere easily. Why are you even going there?

          >
          > People like this should be paid for that work.
          >
          > Indeed, and as I indicated above, I'll be happy to donate to that cause, as soon as they stop acting like adolescents and their website stops looking like a 1995 Geocities page.

          1. The design of a project web site has little or nothing to do with the project itself. (Other than advertisement and LibreSSL _doesn't need advertisement_)

          2. Open Source is not magic fairy dust. This is a serious undertaking, and it is perfectly reasonable to ask for money for the OpenBSD Foundation for this or any other project. OpenBSD always asks for money. Always have. Always will.

          3. It is also perfectly reasonable for you to not want to give anyone money.

          But making some crack about the quality of the project web page being the deciding factor for you makes you look like a jerk, and your comments are being modded down appropriately.

          Your priorities aren't straight. You'll want to see about that.

          Will you benefit from the project once completed _in less than 6 months_? If not, stop worrying about HTML markup and CSS of a page that means nothing to you. Will you benefit from a port of the library eventually? Signs point to "yes", so do with that what you will.

          It still has little to do with a web site that was designed to piss you off, and has succeeded. Do you want to be that easy to annoy?

          Again, you can continue to use OpenSSL. They might even fix some bugs in it eventually. They are only a few years behind.

        2. By who cares? (156.35.221.167) on

          > People like this should be paid for that work.
          >
          > Indeed, and as I indicated above, I'll be happy to donate to that cause, as soon as they stop acting like adolescents and their website stops looking like a 1995 Geocities page.

          1. OpenBSD developers do not act like adolescents; they come from hackers culture. It may not fit on some tie-targeted business models, but to clever people what really matters are results and, trust me, this one will become the most serious SSL implementation.

          2. I prefer the old 90's pre-Google, pre privacy violations, Internet to the current one. I prefer some simple design that works and carries information than pretty software GUIs and overdesigned web pages that carry bugs, wasting of resources and, sometimes, backdoors and "hidden gifts".

      2. By Anonymous Coward (91.154.66.65) on

        > If Comic Sans annoys you, change the CSS locally.

        Better yet, disable web fonts, pick a font that is readable, and don't let pages override it. Just look at how many vulnerabilities freetype has had in it. Then look at the code -- do you really need to expose >100ksloc of complexity just so someone can shove his ugly designer fonts on you, while wasting CPU cycles and memory?

    4. By phessler (phessler) on why in god's name am I wearing pants?

      > This page scientifically designed to annoy web hipsters. Donate now to stop the Comic Sans and Blink Tags
      >
      > Wow, I'm in awe. Not only did they use Comic Sans and the blink tag, they're actually asking for money to make those misfeatures go away! Way to be taken seriously, folks. Way to serve the community.
      >
      > Tell you what. I will happily donate some money after they remove those idiocies. Not before.
      >

      So, your biggest problem with fixing OpenSSL is /the font/, and not the fact /people are removing obscene security holes/ ? Are you sure you have your priorities in the correct order?

    5. By Anonymous Coward (130.185.136.244) on

      > Wow, I'm in awe. Not only did they use Comic Sans and the blink tag, they're actually asking for money to make those misfeatures go away! Way to be taken seriously, folks. Way to serve the community.

      The OpenBSD developers have been using Comic Sans for their slides for years, nobody ever complained.
      It's amazing how much focus how many people comment on the site, especially given the comment in the footer.

      I guess humour is beyond a rather large number of people.

    6. By Anonymous Coward (2001:67c:2e8:13:e5dd:849e:2c77:a942) on

      > This page scientifically designed to annoy web hipsters. Donate now to stop the Comic Sans and Blink Tags
      >
      > Wow, I'm in awe. Not only did they use Comic Sans and the blink tag, they're actually asking for money to make those misfeatures go away! Way to be taken seriously, folks. Way to serve the community.
      >
      > Tell you what. I will happily donate some money after they remove those idiocies. Not before.
      >

      Wow, you don't like Comic Sans? Why do you have it on your system then? It's not like they went through the trouble of making it a web downloadable font.

    7. By Chris (142.161.27.175) on

      > This page scientifically designed to annoy web hipsters. Donate now to stop the Comic Sans and Blink Tags
      >
      > Wow, I'm in awe. Not only did they use Comic Sans and the blink tag, they're actually asking for money to make those misfeatures go away! Way to be taken seriously, folks. Way to serve the community.
      >
      > Tell you what. I will happily donate some money after they remove those idiocies. Not before.
      >

      The important question is: if they don't bow to your aesthetic demands, will you refuse to make use of the code when it finds its way into your favorite Linux distro?

    8. By Anonymous Coward (166.48.188.146) on

      > This page scientifically designed to annoy web hipsters. Donate now to stop the Comic Sans and Blink Tags
      >
      > Wow, I'm in awe. Not only did they use Comic Sans and the blink tag, they're actually asking for money to make those misfeatures go away! Way to be taken seriously, folks. Way to serve the community.
      >
      > Tell you what. I will happily donate some money after they remove those idiocies. Not before.
      >

      Good to know the devs are more focussed on the code than the web page.

    9. By Anonymous Coward (216.16.224.222) on

      > This page scientifically designed to annoy web hipsters. Donate now to stop the Comic Sans and Blink Tags
      >
      > Wow, I'm in awe. Not only did they use Comic Sans and the blink tag, they're actually asking for money to make those misfeatures go away! Way to be taken seriously, folks. Way to serve the community.
      >
      > Tell you what. I will happily donate some money after they remove those idiocies. Not before.
      >

      Here ya go: http://userstyles.org/styles/94722/comic-sans-everywhere

    10. By Anonymous Coward (68.96.73.45) on

      tell you what. I'll stop laughing at you when you stop judging code written by arguably the most important open source project programmers in the world by the landing page, which is meant to be a fucking joke. not before.

      > This page scientifically designed to annoy web hipsters. Donate now to stop the Comic Sans and Blink Tags
      >
      > Wow, I'm in awe. Not only did they use Comic Sans and the blink tag, they're actually asking for money to make those misfeatures go away! Way to be taken seriously, folks. Way to serve the community.
      >
      > Tell you what. I will happily donate some money after they remove those idiocies. Not before.
      >

  4. By Anonymous Coward (37.5.0.146) on

    Is there a chance broken algorithms get removed as well?

    I think about RC4, MD5 (new certs get signed with sha...), DES, 3DES (does anybody seriously uses it in https for example), DSA (suspected backdoored by NSA)...

    Sure not everything can get dropped but including algorithms like chacha20 then would be an improvement.

    I exspect that libreSSL will take over the rule as becomming the most dominant SSL libary in some years. Like OpenSSH took over from SSH.

    Thus you don't need a IETF to define standards, YOU ARE the standard comite. :-)


    I know a cleanup will take time but it would be good if those who support this project actively keep in mind that it is YOU who makes the standards now. I am sure some known cryptographers would assist in more theoretical aspects. :-)

    Comments
    1. By jdv (216.16.224.222) jdv@clevermonkey.org on h

      > Is there a chance broken algorithms get removed as well?
      >
      > I think about RC4, MD5 (new certs get signed with sha...), DES, 3DES (does anybody seriously uses it in https for example), DSA (suspected backdoored by NSA)...
      >
      > Sure not everything can get dropped but including algorithms like chacha20 then would be an improvement.
      >
      > I exspect that libreSSL will take over the rule as becomming the most dominant SSL libary in some years. Like OpenSSH took over from SSH.
      >
      > Thus you don't need a IETF to define standards, YOU ARE the standard comite. :-)
      >
      >
      > I know a cleanup will take time but it would be good if those who support this project actively keep in mind that it is YOU who makes the standards now. I am sure some known cryptographers would assist in more theoretical aspects. :-)

      Reading the commits, some of this work is being anticipated and discussed.

    2. By phessler (phessler) on why in god's name am I wearing pants?

      > Is there a chance broken algorithms get removed as well?
      >
      > I think about RC4, MD5 (new certs get signed with sha...), DES, 3DES (does anybody seriously uses it in https for example), DSA (suspected backdoored by NSA)...
      >
      > Sure not everything can get dropped but including algorithms like chacha20 then would be an improvement.
      >
      > I exspect that libreSSL will take over the rule as becomming the most dominant SSL libary in some years. Like OpenSSH took over from SSH.
      >
      > Thus you don't need a IETF to define standards, YOU ARE the standard comite. :-)
      >
      >
      > I know a cleanup will take time but it would be good if those who support this project actively keep in mind that it is YOU who makes the standards now. I am sure some known cryptographers would assist in more theoretical aspects. :-)

      Step one is to remove broken things, not to change the API. Removing algorithms is a later step.

      (for those that noticed some "algorithms" being removed earlier: those were hot-pluggable engines, that were either never enabled or required a 3rd party module. Some of them were terrifyingly insecure.)

    3. By JimBob (140.158.252.22) on

      > I think about RC4, MD5 (new certs get signed with sha...), DES, 3DES (does anybody seriously uses it in https for example), DSA (suspected backdoored by NSA)...
      >

      It makes sense to remove RC4, MD5, and DES, at the very least. The attacks against RC4 are good enough to make anybody nervous about trusting it, and collision and preimage attacks against MD5 are pretty scary. The key length on DES is simply too short to be acceptable.

      3DES is, to the best of everybody's knowledge, still... okay, if not perfect. There are good reasons to avoid it, of course: it's slow as hell, there are some theoretical attacks that would give any good cryptologist pause, and worrying about weak keys is an annoyance. It certainly shouldn't be the default algorithm (and probably ought to be disabled by default, actually). But if you're working with legacy systems, 3DES might be nice to have. At the same time, it's that much more code to maintain-- I can see both sides of the argument on this one, though I lean toward throwing it out.

      DSA is a bit trickier. There are some pretty big known weaknesses in DSA-- for instance, if you don't pick the k-values in a sufficiently random way, security falls apart pretty quickly. Some folks speculate that this is a backdoor, but it isn't the "smoking gun" that we saw with DUAL_EC_DRBG.

      I would argue that, even if DSA isn't backdoored, it's pretty brittle. If anybody can implement DSA securely, it will be Theo and crew. But, whether DSA is backdoored or not, there are other digital signature techniques (RSA being the most common) that aren't as easy to screw up and get wrong. Unfortunately, backdoor or no, DSA is in pretty wide use-- so disabling it could cause problems.

      RC4, MD5, and DES desperately need to go bye-bye. Use of 3DES and DSA should be discouraged at a minimum, and might need to be deprecated entirely.

      We'll see what the team does. For right now, I'm just glad to know that some security professionals with good track records are giving the OpenSSL code a thorough working-over.

    4. By phessler (phessler) on why in god's name am I wearing pants?

      > Is there a chance broken algorithms get removed as well?
      >
      > I think about RC4, MD5 (new certs get signed with sha...), DES, 3DES (does anybody seriously uses it in https for example), DSA (suspected backdoored by NSA)...


      MD5 is mandatory for some protocols, so that cannot be removed.

      RC4 is still useful for some things, but should be discouraged from general use.

      I don't know of any standards mandating DSA, but they likely exist.

      Regardless of our feelings about these algorithms, we will need to keep compatibility. Of course, we should also try to help them be retired from active use.

  5. By sneaker (204.11.200.61) on

    Jesus shitting fucking fuck with the bikeshedding. Is this undeadly or misc@?

    Comments
    1. By Anonymous Coward (216.16.224.222) on

      > Jesus shitting fucking fuck with the bikeshedding. Is this undeadly or misc@?

      Please make your comments more red.

    2. By Anonymous Coward (31.172.30.3) on

      > Jesus shitting fucking fuck with the bikeshedding. Is this undeadly or misc@?

      Do you even know what bikeshedding is?

  6. By Anonymous Coward (68.96.73.45) on

    everyone made fun of me when i posted this:

    http://undeadly.org/cgi?action=article&sid=20140415093252&pid=6

    oh nohz r u laughing nao noobz? pheer meh.

    Comments
    1. By Anonymous Coward (216.16.224.222) on

      > everyone made fun of me when i posted this:
      >
      > http://undeadly.org/cgi?action=article&sid=20140415093252&pid=6
      >
      > oh nohz r u laughing nao noobz? pheer meh.

      Can we still make fun of you?

      Comments
      1. By Fredrik Ludl (85.24.249.64) fredrik@ludl.se on

        > > everyone made fun of me when i posted this:
        > >
        > > http://undeadly.org/cgi?action=article&sid=20140415093252&pid=6
        > >
        > > oh nohz r u laughing nao noobz? pheer meh.
        >
        > Can we still make fun of you?
        >

        I think the LibreSSL webpage is really cool. :)
        Its informative, it tells me what has happened, and what will happen.
        As a user I get the information I want/need.
        The authors stylish approach is a clear way to express their intentions. :)
        So if we leave the programmers in peace for a while, and donate! We will get a state of the art program with library in November. (We will see the progress in -current I presume.)

  7. By chronicdiscord (70.31.112.39) on

    So, a clever fellow came up with this: http://i.imgur.com/uvrRIba.png

    I really think it would be great to see a Puff with a lucha libre theme should this child process do well.

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]