Hacker News new | ask | show | jobs
by cperciva 6587 days ago
So, you can do all sorts of gymnastics with hashes and nonces and salts (and timestamps and sequence numbers and MACs), but you turn SSL on, and now the only thing that matters is SSL.

Just as a side note: SSL libraries are big, ugly, and bug-prone. If you use SSL for user logins, your users' login information will be more secure... but your server will be less secure.
1 comments
tptacek 6587 days ago
Wow. I think you should support that claim with evidence.
link
cperciva 6587 days ago
You want evidence for the fact that SSL libraries have bugs?

http://security.freebsd.org/advisories/FreeBSD-SA-07:08.open... http://security.freebsd.org/advisories/FreeBSD-SA-06:23.open... http://security.freebsd.org/advisories/FreeBSD-SA-06:19.open... http://security.freebsd.org/advisories/FreeBSD-SA-05:21.open... http://security.freebsd.org/advisories/FreeBSD-SA-04:05.open... http://security.freebsd.org/advisories/FreeBSD-SA-03:18.open... http://security.freebsd.org/advisories/FreeBSD-SA-03:06.open... http://security.freebsd.org/advisories/FreeBSD-SA-03:02.open... http://security.freebsd.org/advisories/FreeBSD-SA-02:33.open... http://security.freebsd.org/advisories/FreeBSD-SA-01:51.open...

Is that enough?

OpenSSL and OpenSSH are tied, at 10 advisories each, as the pieces of software which have been responsible for the most FreeBSD Security Advisories -- outdoing Sendmail and BIND (7 advisories each), procfs (6 advisories, and removed from the default system configuration due to its poor record), and tcpdump and cvs (5 advisories each).

link
tptacek 6586 days ago
Of the 12 postings you provided, 6 have nothing to do with server security, 2 are dupes, and only two of the remainder date to after 2004. Thanks for making me do that research. I guess I deserve it.

The comparison to Sendmail? Pretty laughable. Why don't you work from the real list of Sendmail vulns, not the ones in your personal database?

Now, I'll respond: under what circumstances would you advise a prospective YC app developer to avoid SSL because of the risk of server vulnerabilities?

link
cperciva 6586 days ago
Of the 12 postings you provided ... 2 are dupes

I only posted 10 links, which is probably why you think there were 2 duplicates. :-)

The comparison to Sendmail? Pretty laughable. Why don't you work from the real list of Sendmail vulns, not the ones in your personal database?

FreeBSD security advisories were an easily available list of vulnerabilities which were assessed on the same basis. If I were going to "the real list of Sendmail vuln[erabilities]" (whatever you consider that to be) then I'd also have to use a real list of OpenSSL vulnerabilities -- including those which didn't affect FreeBSD because we didn't ship those versions, and the "oops, last months' security patch was broken" vulnerabilities which didn't affect FreeBSD thanks to the fact that the FreeBSD security team proofreads vendor patches.

under what circumstances would you advise a prospective YC app developer to avoid SSL because of the risk of server vulnerabilities?

If they didn't care about the confidentiality or authenticity of data being transmitted, then I would advise them to not use SSL.

More importantly, if they were using SSL, I'd advise them of the increased risk and suggest additional layers of defence -- for instance, terminating HTTPS within a jail at a proxy which forwards requests in plaintext over a localhost connection.

Of course, individual circumstances always vary, so it's hard to give any sort of blanket advice.

link
tptacek 6586 days ago
You have two advisories for the same 0.9.7l get-ciphers vulnerability. I have, as you've noticed, lost the ability to count. Yes, less than 40% of the evidence you provided survives a minute's scrunity.

If you really think OpenSSL has a worse track record than Sendmail, assert it directly. I don't think you will.

I think you've just provided some spectacularly bad advice to web devs here, Colin.

link
cperciva 6586 days ago
You have two advisories for the same 0.9.7l get-ciphers vulnerability.

No, there's one advisory for the original vulnerability, and a second advisory for a new vulnerability which was added when OpenSSL shipped a broken patch (this one we didn't notice in time -- mea culpa).

If you really think OpenSSL has a worse track record than Sendmail, assert it directly. I don't think you will.

Overall? No -- Sendmail had a horrible track record in the past. Recently? Yes, I would say that OpenSSL has a worse track record than Sendmail over the past 4 years.

I think you've just provided some spectacularly bad advice to web devs here, Colin.

You're entitled to your opinion, of course, but I'd like to hear more details -- which bit in specific do you consider was bad advice?

link