Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

To me it seams way to early to switch.

Wait until libreSSL is battle tested, and we know if it is actually better or worse than the original.



How exactly do you think LibreSSL will be battle tested?


By OpenBSD

From http://www.libressl.org/ "LibreSSL is primarily developed by the OpenBSD Project, and its first inclusion into an operating system will be in OpenBSD 5.6. "


OpenBSD will tests its implementation; it probably won't test ports to other OSs. So unless you use OpenBSD yourself, it won't be of much help.


Maybe that's an argument for more people running OpenBSD.


Will they? Point me to their CI server


I can point you to their test rack:

http://www.openbsd.org/images/rack2009.jpg

They run every version of OpenBSD in every machine they support, including 32bit SPARC, HP 300 and SGI. By running in all those machines they uncover subtle bugs that are made evident by architecture differences.

Also, please see http://anoncvs.estpak.ee/cgi-bin/cgit/openbsd-src/tree/regre...


That wouldn't have caught Heartbleed, wouldn't have caught a vulnerability like the one in Apple's TLS implementation, wouldn't have caught... Basically, testing that your software works in normal operation isn't enough to ensure it's secure, you need to explicitly test its behaviour under attack.


Actually, OpenBSD did have things in place that would have caught Heartbleed. OpenSSL went out of their way to create a situation that defeated them.

Look, the whole OpenSSL debacle is the fact that OpenSSL has ONE programmer working on it reliably. LibreSSL now has 5x-10x the manpower that was working on OpenSSL--and that's STILL probably low by an order of magnitude.

Google should pledge 5 people to work on LibreSSL by itself. They clearly have them since one of their internal audits uncovered Heartbleed.

The thing is nobody in the companies actually cared until the NSA started spying on them.


In that case, you can't use OpenSSL either because its testing clearly doesn't ensure it's secure. So, good luck with that?


All OpenBSD developers work on -current and commonly on multiple platforms. Snapshots are rolled continuously for most platforms and made available to anyone who wants to run the latest code without having to build it themselves. The entire ports tree is compiled regularly on -current too. The compiled packages are then made available.

Check out the 'snapshots' folder of any mirror. More info here: http://www.openbsd.org/ftp.html


A bit unfair that this was down voted. Why does the hive mind think collectively that this is OK state for LibreSSL/OpenSSL - a critical component of internet security - to be in?

What does "testing" mean in the LibreSSL/OpenSSL situation anyway? It compiles? A regression suite passes? Manual verification?


Battle testing sounds like something you'd do to a new implementation. But so far there's very little new in LibreSSL; it's just cleanups and bugfixes. Do you battle test dead code removals and bug fixes?


Yes. Otherwise you get the Debian SSL bug.

https://www.schneier.com/blog/archives/2008/05/random_number...


If anything, battle testing failed to catch that bug.

Some other form of testing could've caught it. Careful code review could've caught it.

Battle testing evidently has failed to catch many of the OpenSSL bugs that have been fixed in LibreSSL.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: