Wednesday, February 11, 2015

More ditching: OpenSSL

That thing must go in the trash, for real.
It turns out the Heartbleed vulnerability everybody has been talking about in April 2014 was just the tip of the iceberg.
The reasons? The whole thing is buggy, very badly written, opened to NSA backdoors, and having tested it myself, the library (that is, the C interface) is impossible to use without losing one's temper...



Let's welcome LibreSSL, a fork of OpenSSL by the OpenBSD community. They have already developed a more user-friendly library (libtls) and they have been actively fixing the codebase since May.

LibreSSL has replaced OpenSSL in OpenBSD 5.6, released in November 2014. It is now production ready and can be trusted. [1]
In my opinion, people should move away from OpenSSL, and even more from Microsoft CryptoAPI which is closed-source. [2]

[1] http://www.openbsd.org/papers/eurobsdcon2014-libressl.html
[2] http://blog.cryptographyengineering.com/2013/09/on-nsa.html (An excellent blog for security lovers by the way! Love what this guy writes.)

No comments:

Post a Comment