From: bugcrazy <bugcrazy@users.noreply.github.com>
To: ml@inbox.vuxu.org
Subject: Re: [RFC] Switching back to OpenSSL
Date: Tue, 11 Aug 2020 09:07:04 +0200 [thread overview]
Message-ID: <20200811070704.mErWmnLqxy1ZjIbjps4ZB4kEjwxJYMwhiXN-O2cvK5c@z> (raw)
In-Reply-To: <gh-mailinglist-notifications-41a7ca26-5023-4802-975b-f1789d68868e-void-packages-20935@inbox.vuxu.org>
[-- Attachment #1: Type: text/plain, Size: 2419 bytes --]
New comment by bugcrazy on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-671769721
Comment:
> > This link shows that LibreSSL has more development than https://cpp.libhunt.com/compare-openssl-vs-libressl
>
> Untrue, look at commit histories.
>
> > In this **old** link, it compares OpenSSL vs LibreSSL, showing how security is applied in LibreSSL code.
> > https://resources.infosecinstitute.com/libressl-the-secure-openssl-alternative/
> > OpenSSL has a design problem, it is susceptible to serious flaws
>
> (emphasis mine); yes, it is old, and that's the problem. OpenSSL's codebase quality and security auditing has increased greatly in the last 5 years. I would have agreed with you some time ago. Nowdays, LibreSSL gets much less auditing, has much fewer developers working on LibreSSL-portable, and has far less architecture support.
>
> > quantity of developers in OpenSSL does not mean quality in the code
>
> I agree, but it does mean that something has to lose attention. Often, this is performance, or architecture support, and even build support/code quality (especially in libressl-portable), as @q66 can attest to.
>
> > OpenSSL has a lot of legacy OS discontinued
>
> Care to elaborate?
LibreSSL has an independent audit, which can be seen on this link, with a report by a member of Void Linux.
https://blog.doyensec.com/2020/04/08/libressl-fuzzer.html
This academic thesis "Analysis of software vunerabilities through historical data" shows comparative graphs of CVEs. http://lup.lub.lu.se/student-papers/record/8923711/file/8923713.pdf
OpenSSlL has a bad design, which favors serious vulnerabilities, this has not been fixed, as this is part of the structural code of OpenSSL, over the years, it has maintained serious vulnerabilities that affect linking software.
https://news.ycombinator.com/item?id=22935221
https://github.com/openssl/openssl/issues/4729
https://github.com/openssl/openssl/issues/4733
https://hownot2code.com/2016/06/03/evaluate-the-string-literal-length-automatically/#more-172
https://www.viva64.com/en/b/0183/
In these links you can compare the number of CVEs between OpneSSL and LibreSSL.
https://www.cvedetails.com/vulnerability-list/vendor_id-217/Openssl.html
https://www.cvedetails.com/vulnerability-list/vendor_id-97/product_id-30688/Openbsd-Libressl.html
next prev parent reply other threads:[~2020-08-11 7:07 UTC|newest]
Thread overview: 143+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-12 21:44 [ISSUE] " Johnnynator
2020-04-13 0:45 ` travankor
2020-04-13 0:46 ` xtraeme
2020-04-13 0:48 ` protonesso
2020-04-13 0:55 ` q66
2020-04-13 0:57 ` q66
2020-04-13 0:58 ` q66
2020-04-13 1:00 ` travankor
2020-04-13 1:01 ` travankor
2020-04-13 8:58 ` pullmoll
2020-04-13 9:09 ` xtraeme
2020-04-13 10:57 ` xtraeme
2020-04-13 11:29 ` Duncaen
2020-04-13 12:02 ` Hoshpak
2020-04-13 12:04 ` xtraeme
2020-04-13 12:06 ` xtraeme
2020-04-13 12:09 ` xtraeme
2020-04-13 12:09 ` xtraeme
2020-04-16 12:16 ` Johnnynator
2020-04-16 12:18 ` xtraeme
2020-04-16 12:19 ` xtraeme
2020-04-16 12:20 ` xtraeme
2020-04-16 12:22 ` xtraeme
2020-04-16 12:26 ` Johnnynator
2020-04-16 12:29 ` Johnnynator
2020-04-16 12:29 ` xtraeme
2020-04-16 12:31 ` travankor
2020-04-16 12:32 ` xtraeme
2020-04-16 12:33 ` xtraeme
2020-04-16 12:34 ` travankor
2020-04-16 12:34 ` travankor
2020-04-16 12:34 ` travankor
2020-04-16 12:34 ` travankor
2020-04-16 12:35 ` xtraeme
2020-04-16 12:35 ` xtraeme
2020-04-16 12:37 ` xtraeme
2020-04-16 12:40 ` Johnnynator
2020-04-16 12:40 ` Johnnynator
2020-04-16 12:42 ` Johnnynator
2020-04-16 12:43 ` xtraeme
2020-04-16 12:45 ` xtraeme
2020-04-16 12:45 ` xtraeme
2020-04-16 12:51 ` travankor
2020-04-16 12:52 ` travankor
2020-04-16 12:53 ` xtraeme
2020-04-16 12:53 ` Johnnynator
2020-04-16 12:54 ` Johnnynator
2020-04-16 12:55 ` travankor
2020-04-16 12:58 ` travankor
2020-04-16 13:04 ` xtraeme
2020-04-16 13:04 ` xtraeme
2020-04-16 13:05 ` xtraeme
2020-04-16 13:06 ` travankor
2020-04-16 13:07 ` q66
2020-04-16 13:09 ` q66
2020-04-16 13:11 ` xtraeme
2020-04-16 13:12 ` xtraeme
2020-04-16 13:15 ` xtraeme
2020-04-16 13:15 ` q66
2020-04-16 13:18 ` xtraeme
2020-04-16 13:18 ` xtraeme
2020-04-16 13:19 ` q66
2020-04-16 13:21 ` xtraeme
2020-04-16 13:21 ` q66
2020-04-16 13:23 ` xtraeme
2020-04-16 13:24 ` q66
2020-04-16 13:26 ` Johnnynator
2020-04-16 13:28 ` q66
2020-04-16 13:33 ` xtraeme
2020-04-16 13:33 ` xtraeme
2020-04-16 13:35 ` xtraeme
2020-04-16 13:37 ` xtraeme
2020-04-17 6:18 ` Ypnose
2020-04-17 6:18 ` Ypnose
2020-04-17 10:06 ` travankor
2020-04-17 10:06 ` travankor
2020-04-17 10:06 ` travankor
2020-04-17 14:54 ` mobinmob
2020-04-21 21:35 ` howtologinquickwiththirtyninecharacters
2020-04-22 12:16 ` Hoshpak
2020-04-22 12:19 ` xtraeme
2020-04-22 15:05 ` q66
2020-04-23 2:36 ` the-maldridge
2020-04-23 3:35 ` eli-schwartz
2020-04-23 4:43 ` constptr
2020-04-23 7:59 ` fosslinux
2020-04-23 8:23 ` travankor
2020-04-23 10:25 ` Duncaen
2020-04-23 10:29 ` Duncaen
2020-04-23 11:19 ` q66
2020-04-23 11:20 ` constptr
2020-04-24 6:34 ` Ypnose
2020-04-24 7:32 ` the-maldridge
2020-04-24 14:01 ` q66
2020-04-24 16:48 ` q66
2020-04-27 20:31 ` Vaelatern
2020-04-30 21:38 ` CameronNemo
2020-05-01 17:59 ` marmeladema
2020-05-01 18:08 ` marmeladema
2020-05-04 3:56 ` concatime
2020-05-04 3:56 ` concatime
2020-05-04 3:58 ` concatime
2020-05-04 4:00 ` concatime
2020-05-04 12:28 ` travankor
2020-05-15 19:48 ` imrn
2020-05-15 20:55 ` Vaelatern
2020-05-15 20:55 ` Vaelatern
2020-07-30 15:02 ` marmeladema
2020-07-31 0:34 ` fosslinux
2020-08-09 7:37 ` bugcrazy
2020-08-09 9:40 ` Duncaen
2020-08-09 9:41 ` Duncaen
2020-08-09 23:06 ` fosslinux
2020-08-09 23:06 ` fosslinux
2020-08-11 7:07 ` bugcrazy [this message]
2020-08-11 7:47 ` fosslinux
2020-08-11 16:37 ` concatime
2020-08-11 16:37 ` concatime
2020-08-11 19:42 ` q66
2020-08-12 0:35 ` fosslinux
2020-08-12 1:03 ` q66
2020-08-12 1:53 ` fosslinux
2021-01-04 23:06 ` mgorny
2021-01-06 10:19 ` marmeladema
2021-01-06 18:31 ` AngryPhantom
2021-01-06 18:32 ` AngryPhantom
2021-02-11 0:48 ` kawaiiamber
2021-02-11 1:02 ` eli-schwartz
2021-02-11 1:06 ` kawaiiamber
2021-02-11 1:13 ` eli-schwartz
2021-02-11 1:28 ` ericonr
2021-02-22 9:12 ` mikhailnov
2021-03-01 20:36 ` Logarithmus
2021-03-01 20:44 ` Logarithmus
2021-03-01 21:06 ` eli-schwartz
2021-03-01 21:27 ` ericonr
2021-09-19 13:10 ` dm17
2021-09-19 16:07 ` Vaelatern
2021-09-19 16:07 ` Vaelatern
2021-09-19 16:07 ` Vaelatern
2021-09-19 17:31 ` mgorny
2021-09-20 18:17 ` bugcrazy
2021-09-20 18:32 ` Duncaen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200811070704.mErWmnLqxy1ZjIbjps4ZB4kEjwxJYMwhiXN-O2cvK5c@z \
--to=bugcrazy@users.noreply.github.com \
--cc=ml@inbox.vuxu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).