All SSL distros are now suspect
As an industry we have accepted that these libraries are the standard plumbing of security for many years.
And they are obviously based on standards.
Some other standards are continuous and automated testing to ensure broken code does not make it to production.
The last two weeks of Apple and now GNU not being able to competently handle return values in C shows that:
They don't have automated testing in place for critical security code. (Anything?)
They don't have maintainers in place who understand their own c code.
Consumers of SSL code believe in acronym security which does not exist.
As an industry since we cannot control the shoddy practices of distributors of security code we must minimally require proof of open transparent automated tests which can be verified by a third party before using any vendors encryption.
Goodnight. And may the force "goto" you.
0 comments
[ 4.9 ms ] story [ 13.8 ms ] threadNo comments yet.