
Hopefully more money will be forthcoming?
Hopefully, the report is the necessary prelude that enables the provision of money and support from the German Government to the team?
Days after fixing a rare but dangerous key recovery attack, the developers of OpenSSL have been dealt a fresh blow with a poor review of the technology from a German government agency. An extensive security study and code review on OpenSSL by Sirrix AG (and sponsored by the BSI (Bundesamt für Sicherheit in der …
The OpenSSL team now has more than enough money. But it still has a codebase that is unnecessarily complicated due to some weird decisions. Code complexity is anathema to security.
If money is forthcoming, I'd rather see it split between OpenSSL, LibreSSL and research. For server work, LibreSSL already makes more sense unless you have hard dependencies on OpenSSL.
All of this largely turd polishing trying to fix the leaky dyke that is OpenSSL. Its public API exposes far too much of the (mostly poor) implementation and now a bunch of infrastructure is built on it, the genie is out of the bottle. The LibreSSL folks would like to scrap having to support much of the broken ass API (have removed some of the really dumb stuff) but can't due to dependencies. OpenSSL is one of the biggest threats to internet security and will be so for a long time coming.
This post has been deleted by its author
You can replace OpenSSL with sooo many things:
Internet Explorer "one of the biggest threats to internet security and will be so for a long time coming"
Java applets "one of the biggest threats to internet security and will be so for a long time coming"
Flash "one of the biggest threats to internet security and will be so for a long time coming"
OpenSSL will be fixed have no doubts about that, I have serious doubts about anything else whose source code can not be scrutinized by an independent 3rd party.
NOTE: I Know both Java applets and Flash are on their way out, that's not the point.
Yup! I know that in certain applications (router firmware designers, I'm looking at you!) they used C's "rand()" function. During WPA2 auth (WPS in particular), a string of "random" characters is sent in the clear, followed by the "encrypted", sensitive data used for authentication. The rand() function can therefore be brute forced if you know roughly what the seed values will be (especially easy if srand(time(NULL)) is used.
People never seem to learn!