I've said this before, but kudos to the OpenBSD Project for shouldering a disproportionate share of the burden of maintaining core bits of our libre/open infrastructure. I can't think of anyone in tech who has not benefited mightily from OpenSSH and who will not benefit mightily from LibreSSL.<p>This article is a good reminder for me to get off my arse and cut my meager grad-student checks to the EFF and OpenBSD project.
Among the good and bad stories this year, so far, LibreSSL is the good story of the year.<p>Also happy to hear a bit about the ressl API. To me it sounds like a focused, high-level API that makes it easy to get right and hard to get wrong. So kind of like NaCl. It's clearly the future -- look at the huge amount of software being written for Sodium now, for example. It's huge.
> In particular, we answer the question "What would the user like to do?" and not "What does the TLS protocol allow the user to do?"<p>This makes me think of the laudable approach taken by the developers for the Cryptography library for python. Expose functions to users with <i>sane and safe</i> settings to users, and provide the abilities to override the defaults if you really must (but in such a manner that it's extremely clear that you're stepping into dangerous territory)
Interesting and quick work. The story of the libcrypto SRP glass house makes me feel like a little kid who just heard a ghost story.<p>Is OpenSSL being notified of security bugs you all find in your pairing down process?
There is some agonizing done over the rewrite culminating in the need for a redesign of the API. I've wondered why there wasn't a light-weight library that simply implemented the <i>smallest</i> number of protocols to delivered the necessary components for a secure <i>HTTPS</i> connection. You'd have some other library for other protocols, but this one should have the feature of being as light-weight (and small) as possible. Wouldn't that be the cyphersuite of choice for most hosting facilities?
Off-topic, but the markup of that page is really interesting. I've never seen someone do this before:<p><h1>LibreSSL: More Than 30 Days Later</h1>
Ted Unangst<p>
tedu@openbsd.org<p><p>LibreSSL was officially announced to the world just about exactly five months
ago. Bob spoke at BSDCan about the first 30 days. For those who weren't there,
I'll quickly rehash some of that material. Also, it's always best to start at
the beginning, but then I'll try to focus on some new material and updates.<p><h1>openssl</h1>
It kinda bugs me when time-sensitive articles (like those about software) are published without a date on them. The article does not mention a date when it was written, I assume it was recently. It mentions "2014-09-09 FreeBSD advisory", and the date today is 2014-09-28, so September 2014 is a good bet.
> Look at all the points where memory is allocated, and then make sure it is freed, exactly one time, no more, no less.<p>C is clearly the wrong language for something this security critical if that's where your bugs are. C++ solved this many years ago.
So...<p>* it's broken on other platforms<p>* they broke features in their releases (no QA/testing?)<p>* they're making a new API based on requirements of their own programs that doesn't provide many of the OpenSSL features.<p>* they're using CVS, no public code reviews available. There's no evidence some of the changes were reviewed by someone other than who made the commit. (OpenSSL now does reviews)<p>* no public audit available.<p>* they have some hateful note about hipsters on their web page as an excuse after 5 months to not make it readable. So unprofessional it hurts.<p>* Most changes were done five months ago, with not much at all done for two months.<p>* The test/ directory has very few changes at all. No extra tests have been added.<p>* I can't find a release plan, architecture documentation, or any documentation a serious software project should have. (OpenSSL is working on these though)<p>Finally... their official distribution website doesn't use SSL. That's a major security issue of the face palm variety.<p>Not. Inspiring. Confidence.<p>The OpenSSL project on the other hand has been doing some good work. Please see the projects road map from July to see what they are changing. <a href="https://www.openssl.org/about/roadmap.html" rel="nofollow">https://www.openssl.org/about/roadmap.html</a>