<= Archives =>
30 days of LibreSSL
2014/05/22 12:01:51 CEST

On May 17, 2014, Bob Beck gave a very enlightening presentation of LibreSSL. Slides and video.

It is worth viewing. Below are some hightlights.

The code was too horrible, nobody wanted to work with it

This and the way the OpenSSL developers have been handling fixes sent by others have been very effective at preventing involment from outsiders.

Among other things, we also learn that:

Shortlist of goals of the LibreSSL team:

About funding:

The OpenSSL foundation appears to be a million dollar a year for-profit company doing FIPS consulting gigs. (Incorporated in Maryland)

But people only remember the USD 2000,- donations a year.

The OpenSSL "Foundation" is basically a FIPS consultancy – we are not. We believe this creates a priority inversion to the needs of the larger community.

What are we looking for?
Sponsor several developers to re-write some key pieces of the codebase
Sponsor some effort of the portability/ports people
Support us - and help us out. Publicly.

The wave of support towards OpenSSL comes at odds with the history and facts that have been discovered so far. Several reasons are in play, among others:

The last point is probably the most essential. While the funding problem is not the only cause – in my opinion – for the situation OpenSSL is in, it cannot be disputed that projects need funding in order to run. The increase in support and involvement towards OpenSSL will surely improve the situation.

However I think that any company that is serious about getting a sane SSL library should support LibreSSL. It is the better choice considering the previous achievements of the OpenBSD project – in particular OpenSSH. If you do not need FIPS, that is.

(updated on June 21, 2014 modifying the last part to better express my opinion)

Tags security heartbleed libressl