Hacker News new | ask | show | jobs
by maxbucknell 4447 days ago
If there are so many problems with OpenSSL, why are there no alternatives that are readily available and anywhere near as functional?

The whole internet runs OpenSSL, but why hasn't anyone tried to do something different? I know it's complicated, but if a few big companies really chose to put some muscle behind it, it could happen, right?
1 comments
davidw 4447 days ago
This sums up some of the difficulties with the production of open source software:

https://en.wikipedia.org/wiki/Public_good

link
ef4 4447 days ago
That really doesn't illuminate anything, because you'd also need to explain why open source has been spectacularly successful generating other public goods (linux and others).

The economics of open source are pretty clear at this point. The software industry spends a lot of money supporting open source, because it's in their own interest to do so -- it's cheaper to share the costs than to build your own infrastructure from scratch every time, when the infrastructure is not part of your competitive advantage.

This particular bug was found by people that Google pays to audit open source code all day, in an effort to improve said code.

link
davidw 4447 days ago
> open source has been spectacularly successful generating other public goods (linux and others).

No one doubts that some open source software has been very successful. What I'm not sure of is whether levels of open source provisioning are optimal: maybe there should be 10X what there is now. Maybe Linux should dominate the desktop world, but does not due to lack of funding. This is Bastiat's "what is not seen" - what we have now is good, but perhaps it could be better. Maybe a lot better, under different circumstances.

Also, that link mentions Coasian solutions, and privileged goods, which between them explain a lot about open source software, no?

link
icebraining 4447 days ago
If this is a consequence of the difficulties with the production of open source software, does that mean there are much more secure proprietary implementations of SSL/TLS? Which ones?
link
davidw 4447 days ago
A quick search with Google reveals various commercial SSL implementations. I have no idea how good they are.

Most people probably think openssl is good enough and are not willing to pay for something else.

link