The Register

Topics

Special Features

Vendor Voice

Resources

OpenSSL fixes bug, gets dissed by German gov: That's so random ... not

Days after fixing a rare but dangerous key recovery attack, the developers of OpenSSL have been dealt a fresh blow with a poor review of the technology from a German government agency. An extensive security study and code review on OpenSSL by Sirrix AG (and sponsored by the BSI (Bundesamt für Sicherheit in der …

COMMENTS

Post your comment

House rules Send corrections

Add to 'My topics'

Thursday 4th February 2016 13:42 GMT Anonymous Coward

Hopefully more money will be forthcoming?

Hopefully, the report is the necessary prelude that enables the provision of money and support from the German Government to the team?

2 1 Reply
1. Thursday 4th February 2016 14:53 GMT Charlie Clark
  
  Re: Hopefully more money will be forthcoming?
  
  The OpenSSL team now has more than enough money. But it still has a codebase that is unnecessarily complicated due to some weird decisions. Code complexity is anathema to security.
  
  If money is forthcoming, I'd rather see it split between OpenSSL, LibreSSL and research. For server work, LibreSSL already makes more sense unless you have hard dependencies on OpenSSL.
  
  6 0 Reply
  1. Thursday 4th February 2016 15:41 GMT asdf
    
    Re: Hopefully more money will be forthcoming?
    
    All of this largely turd polishing trying to fix the leaky dyke that is OpenSSL. Its public API exposes far too much of the (mostly poor) implementation and now a bunch of infrastructure is built on it, the genie is out of the bottle. The LibreSSL folks would like to scrap having to support much of the broken ass API (have removed some of the really dumb stuff) but can't due to dependencies. OpenSSL is one of the biggest threats to internet security and will be so for a long time coming.
    
    7 6 Reply
    1. This post has been deleted by its author
    2. Thursday 4th February 2016 17:53 GMT John Sanders
      
      Re: Hopefully more money will be forthcoming?
      
      You can replace OpenSSL with sooo many things:
      
      Internet Explorer "one of the biggest threats to internet security and will be so for a long time coming"
      
      Java applets "one of the biggest threats to internet security and will be so for a long time coming"
      
      Flash "one of the biggest threats to internet security and will be so for a long time coming"
      
      OpenSSL will be fixed have no doubts about that, I have serious doubts about anything else whose source code can not be scrutinized by an independent 3rd party.
      
      NOTE: I Know both Java applets and Flash are on their way out, that's not the point.
      
      10 5 Reply
      1. Friday 5th February 2016 17:26 GMT asdf
        
        Re: Hopefully more money will be forthcoming?
        
        Just because its open source doesn't mean it can be fixed any time soon. Java is open source as well and its still a leaking sieve of CVEs. Still thank goodness for LibreSSL and OpenBSD as the OpenSSL devs instill zero confidence for me.
        
        0 1 Reply
Thursday 4th February 2016 13:58 GMT Anonymous Blowhard

"The BSI investigates security risks associated with the use of IT and develops preventive security measures"

Are you sure they're a government agency? The description makes it sound like they actually do something...

5 0 Reply
1. Thursday 4th February 2016 14:08 GMT GrumpenKraut
  
  > The description makes it sound like they actually do something...
  
  They actually do quite a lot of good/useful things. Also they do have bright minds. And, yes, a government agency.
  
  13 0 Reply
Thursday 4th February 2016 14:25 GMT Dan Wilkie

So they're like a German CESG?

0 0 Reply
1. Thursday 4th February 2016 14:33 GMT GrumpenKraut
  
  Yes (had to look up CESG), that seems pretty much the same. That CESG did MIKEY-SAKKE is giving me bad vibes, though.
  
  4 0 Reply
  1. Friday 5th February 2016 11:11 GMT Anonymous Coward
    
    >That CESG did MIKEY-SAKKE is giving me bad vibes, though.
    
    Not me. I fancy your lot have been "the good guys" for the last 70yrs or so. Any chance you could get them to design a new phone encryption protocol for us?
    
    1 0 Reply
Thursday 4th February 2016 14:59 GMT Anonymous Coward

Need a New Spokesman

Hire a Syrian refugee and then the Germans won't say a peep.......

1 11 Reply
1. Thursday 4th February 2016 18:09 GMT allthecoolshortnamesweretaken
  
  Re: Need a New Spokesman
  
  And your point is what exactly?
  
  5 0 Reply
  1. Thursday 4th February 2016 19:32 GMT Destroy All Monsters
    
    Re: Need a New Spokesman
    
    PEGIDA-kun, please.
    
    0 0 Reply
Thursday 4th February 2016 18:10 GMT allthecoolshortnamesweretaken

It's always the RNGs, isnt't it? Well, not always. But far to often...

5 0 Reply
1. Friday 5th February 2016 12:33 GMT DanDanDan
  
  Yup! I know that in certain applications (router firmware designers, I'm looking at you!) they used C's "rand()" function. During WPA2 auth (WPS in particular), a string of "random" characters is sent in the clear, followed by the "encrypted", sensitive data used for authentication. The rand() function can therefore be brute forced if you know roughly what the seed values will be (especially easy if srand(time(NULL)) is used.
  
  People never seem to learn!
  
  0 0 Reply
Tuesday 9th February 2016 08:39 GMT vmistery

Until people come together to fully fund a replacement from the ground up it is unlikely to change. Fact is too many very large companies use it as part of their products, they are not going to want to license a replacement as it would cost them a lot of money.

0 0 Reply