LibreSSL Article

Chat about just about anything else

LibreSSL Article

Postby mike acker on Sun Jul 13, 2014 8:36 am

I found this article on LibreSSL this morning. hopefully we can all get updated, RSN.
Home assembled box using ASUS M5A88-M motherboard and x64 AMD Phenom II X4 3.4GHz cpu; 4x4MB DDR3 RAM
User avatar
mike acker
Level 4
Level 4
 
Posts: 347
Joined: Wed Jul 31, 2013 6:29 pm
Location: Kalamazoo, MI

Linux Mint is funded by ads and donations.
 

Re: LibreSSL Article

Postby kurotsugi on Sun Jul 13, 2014 8:53 am

AFAIK debian and ubuntu is still using openssl instead of libressl. it means that we won't get any update from libressl. here's the info https://tracker.debian.org/pkg/openssl
kurotsugi
Level 5
Level 5
 
Posts: 891
Joined: Fri Jan 25, 2013 3:54 am

Re: LibreSSL Article

Postby xenopeek on Mon Jul 14, 2014 4:13 am

I don't quite follow the LibreSSL. OpenSSL now has two full-time developers through funding from Linux Foundation, and Open Crypto Audit Project has funding for doing a audit of the code: http://www.linuxfoundation.org/news-med ... ew-backers. While LibreSSL made sense before the Linux Foundation could get the funding arranged, what sense does it make now? There are no full-time developers working on LibreSSL I think, nor is the code being audited by anybody but the developers. Why don't the LibreSSL developers join effort on OpenSSL? They have a clean roadmap: https://www.openssl.org/about/roadmap.html. It seems to be tackling the same stuff...

I'll be sticking with OpenSSL till it's clear what exactly LibreSSL improves security wise and how it is a long-term viable solution that doesn't fall into disarray once the developers' interest wanes. Long-term OpenSSL seems to be in a healthier position, with long-term commitment and funding from the industry.
User avatar
xenopeek
Level 21
Level 21
 
Posts: 14665
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: LibreSSL Article

Postby kurotsugi on Mon Jul 14, 2014 3:05 pm

I've heard that libressl offer better compactness and portability between multiple platform. at this moment I haven't heard any linux distro using libressl yet but it might changed when BSD officially switching into libressl.
kurotsugi
Level 5
Level 5
 
Posts: 891
Joined: Fri Jan 25, 2013 3:54 am

Re: LibreSSL Article

Postby DrHu on Mon Jul 14, 2014 3:36 pm

BSD* usually suggest they have a more structured approach to code development and therefor can offer better
guarantee of Quality
--from your link: ref the BSD developer
    None of this should come as a surprise to anyone who has been following the fallout from the Heartbleed vulnerability scandal. Most of the same issues were raised by de Raadt – albeit less politely – when he decided to fork OpenSSL as LibReSSL in April
http://insanecoding.blogspot.ca/2014/04 ... d-bad.html

http://www.libressl.org/
http://www.eweek.com/security/after-hea ... ressl.html
    I certainly remember their pf packet filter project and the hard drive slice setups..
-and the fact that it could run Linux apps, howver I found most of the action happening in the Linux world (desktops or new apps..)

And there is always a warning message from the Dark Side (the other side(s))
http://www.cio.com/article/2375537/open ... think.html
User avatar
DrHu
Level 16
Level 16
 
Posts: 6694
Joined: Wed Jun 17, 2009 8:20 pm

Re: LibreSSL Article

Postby xenopeek on Tue Jul 15, 2014 2:53 am

LibreSSL is not without its own faults. Article showing how LibreSSL is unsafe to use on Linux: https://www.agwa.name/blog/post/libress ... e_on_linux. As might have been expected with the chest pounding from the LibreSSL camp about all the code they have been removing; they've removed too much in this case.
User avatar
xenopeek
Level 21
Level 21
 
Posts: 14665
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: LibreSSL Article

Postby /dev/urandom on Tue Jul 15, 2014 6:12 am

xenopeek wrote:There are no full-time developers working on LibreSSL I think, nor is the code being audited by anybody but the developers.


... who pretty much know what they do as OpenBSD is audited all the time. BTW, they collect donations so they can start working on it full-time.

xenopeek wrote:Article showing how LibreSSL is unsafe to use on Linux: https://www.agwa.name/blog/post/libress ... e_on_linux.


That's because Linux's PRNG is unsafe. Maybe you might want to slain the tool, not the one who carries it.
Linux is not the only answer! :: eD2k/Kad mirrors for Linux Mint and LMDE.
Users who misspell "Windows" as "Windoze" intentionally will be considered stupid.

Image
User avatar
/dev/urandom
Level 4
Level 4
 
Posts: 464
Joined: Sun Jul 17, 2011 8:02 pm

Re: LibreSSL Article

Postby xenopeek on Tue Jul 15, 2014 6:45 am

Exactly! You've perhaps put it more clearly why LibreSSL shouldn't be used on Linux :)
User avatar
xenopeek
Level 21
Level 21
 
Posts: 14665
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: LibreSSL Article

Postby /dev/urandom on Tue Jul 15, 2014 6:49 am

Actually I put it more clearly why it's not LibreSSL's fault that Linux has no sane entropy generator, thus shouldn't be used for anything security-relevant.
Linux is not the only answer! :: eD2k/Kad mirrors for Linux Mint and LMDE.
Users who misspell "Windows" as "Windoze" intentionally will be considered stupid.

Image
User avatar
/dev/urandom
Level 4
Level 4
 
Posts: 464
Joined: Sun Jul 17, 2011 8:02 pm

Linux Mint is funded by ads and donations.
 

Return to Open chat

Who is online

Users browsing this forum: xenopeek and 4 guests