[rand334]

Yes; the entirety of our internet infrastructure is...almost...hopelessly insecure. The OpenSSL team refuses to even use SSL/TLS on their website because "they don't want anyone to get the slightest illusion that it's secure" and want everyone to manually verify the SHA hashes.

[simoncion]

> The OpenSSL team refuses to even use SSL/TLS on their website because "they don't want anyone to get the slightest illusion that it's secure"

Eh?

1) Visting http://www.openssl.org automatically redirects me to https://www.openssl.org .

2) The OpenSSL source code is stored in a git repo in GitHub. While this doesn't ensure that the code hasn't been tampered with, git does make it substantially easier to detect tampering than other VCSs do.

3) All of the release tarballs are PGP signed. Verification of the authenticity of these files is just about as automatic as it gets.

[loginusername]

I could be mistaken but I think, not too long ago, openssl.org used to redirect to openssl.net.

And if I recall correctly, it was http://openssl.net not https://.

Is it possible there have been some changes in recent years?

[simoncion]

> Is it possible there have been some changes in recent years?

Well, I made my comment based largely on information that I verified a few minutes before I wrote the comment. I'm unaware of the site's history.

[bdamm]

Have they posted their concerns regarding SSL/TLS? It would make interesting reading. I am assuming the issue is the certificate issuance hierarchy and correspondent lack of transparency, but that's just a guess.

[oldmanjay]

Of course if those hashes are also served via plaintext, then comparing them also doesn't matter, and using them as verification is akin to praying to not be compromised

[lern_too_spel]

The OpenSSL team uses TLS on www.openssl.org. I don't know where you found that quote.