Hacker News new | ask | show | jobs
by sgarlatm 4446 days ago
It may actually be a good thing if Chrome migrates to OpenSSL. With their resources, perhaps they can do some testing to see if there are any more vulnerabilities out there. At the very least, their continued eye on the project should help it be more secure going forward.
3 comments
wigginus 4446 days ago
Actually I think the Heartbleed vulnerability was most probably found because of this migration, as it was found by Neel Mehta of Google (and the Codenomicon guys). The date of this draft is 2014-01-26, so it makes sense, that the OpenSSL code is evaluated by the security team before the migration.
link
rdudek 4446 days ago
Considering how widely it's used, if Google could use some of their resources to better it, I'm all for it!
link
Shish2k 4446 days ago
Considering how widely SSL is used, and the resources of Google, I wonder if they could come up with their own encryption toolkit? How hard can it be for a company the size of Google to create a library that lives up to eg SQLite's quality standards?
link
plorkyeran 4446 days ago
Fix OpenSSL, and everyone that currently uses OpenSSL benefits. Create a new library that's clearly better than OpenSSL, and ten years later there will still be important things that still haven't switched.
link
danudey 4446 days ago
I would say that Joel Spolsky answers this quite well:

http://www.joelonsoftware.com/articles/fog0000000069.html

What would be interesting to see is a fork of OpenSSL with the intention of cleaning up the code, removing abstractions where they are unnecessary and adding them where they are, and adding a comprehensive test suite to ensure correct behaviour wherever possible.

link
thrownaway2424 4446 days ago
Google has already written and released a complete crypto stack for Go. Where you restricting your comments to C/C++ implementations?
link
richm44 4446 days ago
The last time I looked at it the go stack was very weak compared to any of the mature C SSL stacks. IIRC it only took me a few minutes to find a security bug (which I reported and is now fixed) that I'd reported against various browsers several years earlier. In short, I highly doubt the go SSL stack is production ready.
link
thrownaway2424 4446 days ago
The above questioner didn't ask whether it was any good, only whether Google could write and release one.
link
Raphael 4446 days ago
Good point. Though it only claims to "partially implement TLS 1.2". http://golang.org/pkg/crypto/tls/
link
chc 4446 days ago
The real question is, how hard can it be to do that while starting with OpenSSL compared to starting from scratch?
link
crashandburn4 4446 days ago
Those were my thoughts exactly, I think OpenSSL just needs a bit of care and refactoring (possibly a lot depending on which blogs you read) for which they need devs and resources, both of which google has.
link
thirsteh 4446 days ago
The problem with OpenSSL is that it's really problematic to simply fix and refactor stuff given their FIPS certification.
link
leoc 4446 days ago
Ooh, OpenSSL's FIPS certification. The fellows who've been fighting for years to take it away http://www.itnews.com.au/News/65016,openssl-in-a-fips-flap.a... must be crowing right now. (Regardless of whether their own stuff is any better or no.) Another decertification incoming?
link
crashandburn4 4445 days ago
Hi, can someone help me understand what the significance of FIPS certification is? ( beyond the wikipedia page: http://en.wikipedia.org/wiki/FIPS_140-2 )
link
leoc 4445 days ago
AFAIK the US federal government (excluding the military, which obviously has its own hoops to jump through) generally can't use your hardware/software unless it has the appropriate FIPS certification(s). https://en.wikipedia.org/wiki/Federal_Information_Processing...
link