I wonder what kind of new internet will emerge from the ashes of everything we've been using since the 1970s, when it finally all goes up in flames in the next few years.
You'll need a really, really, really massive meltdown before people are willing to fork over the money necessary to restart from scratch. Not even nuclear meltdowns have historically convinced people to do that. Not even global warming is convincing people to do that.
It is possible that some vulnerabilities affected both LibreSSL and OpenSSL. In those cases, the total would be smaller than the sum of its parts. However, that is just speculation on my part.
It's kind of unsettling to know there is a known vulnerability (at least known to some) out there and is going to stay unpatched for a couple of days. On the other hand, it is kind of nice to be able to brace for it mentally.
Does anybody know why the update is announced a couple of days in advance? Are e.g. maintainers of corresponding packages in Linux distros or *BSD given access to the code ahead of time so they can build new packages?
presumably, the newly released code might teach malicious users what vulnerabilities are there, which in turn makes everyone who didn't patch quickly vulnerable.
By announcing in advance what is going to happen, people can be ready to update as soon as the patch is available.
The early announcement allows our sysadmins to plan to work during those hours, and for the rest of our org to know that we'll have rolling infrastructure downtime, and that isn't the best time to plan a new feature launch etc.
Glad they are fixing these but damn it is scary every time I see OpenSSL in a headline anymore.
btw
HIGH Severity.
This includes issues that are of a lower risk than critical,
perhaps due to affecting less common configurations,
or which are less likely to be exploitable.
These issues will be kept private and will trigger
a new release of all supported versions.
LibreSSL can't be used everywhere OpenSSL is currently used. Notably (and intentionally) missing is FIPS 140-2 support, which most (almost all?) commercial product that uses OpenSSL will rely upon for selling a FIPS 140-2 compliant or validated product.
Personally, I find Network Security Services (NSS) much better designed than OpenSSL/LibreSSL and wish more things would use it. Notably better is the use of an actual database to store objects. This really helps when you are using certificate revocation lists (CRLs) which may be huge blobs that change frequently.
in some case, if you're able to switch libraries, you might also be able to switch languages and therefore skip on future issues inherent to C. Consider for example: https://golang.org/pkg/crypto/tls/
Wasn't there recently an announcement that OpenSSL was planning on removing FIPS 140 support in the near future and possible add it back at a later point in time?
26 comments
[ 2.3 ms ] story [ 30.8 ms ] threadDo you have data besides "look at all the vulns!"?
Do you have clear evidence of a negative economic trend that is linked to insecure software?
16 + 7 = 19?
5 + 31 + 12 = 36?
Does anybody know why the update is announced a couple of days in advance? Are e.g. maintainers of corresponding packages in Linux distros or *BSD given access to the code ahead of time so they can build new packages?
For server operators to be prepared. (And I would prefer if they would narrow the timescales more for that.)
>Are e.g. maintainers of corresponding packages in Linux distros or *BSD given access to the code ahead of time so they can build new packages?
Yes, but that doesn't require a public announcement.
By announcing in advance what is going to happen, people can be ready to update as soon as the patch is available.
btw
Support the OpenBSD team:
http://www.openbsdfoundation.org/campaign2016.html
that makes the LibreSSL.
Personally, I find Network Security Services (NSS) much better designed than OpenSSL/LibreSSL and wish more things would use it. Notably better is the use of an actual database to store objects. This really helps when you are using certificate revocation lists (CRLs) which may be huge blobs that change frequently.
Specifically mentioned here, OpenSSL 1.1.x won't have FIPS support: https://groups.google.com/forum/#!searchin/mailing.openssl.d...