All SSL distros are now suspect

1 points by proovit ↗ HN
In crypto, the "crypto" is the hard part. But now in the space of two weeks we see that folks maintaining the crypto in C can't handle return values.

As an industry we have accepted that these libraries are the standard plumbing of security for many years.

And they are obviously based on standards.

Some other standards are continuous and automated testing to ensure broken code does not make it to production.

The last two weeks of Apple and now GNU not being able to competently handle return values in C shows that:

They don't have automated testing in place for critical security code. (Anything?)

They don't have maintainers in place who understand their own c code.

Consumers of SSL code believe in acronym security which does not exist.

As an industry since we cannot control the shoddy practices of distributors of security code we must minimally require proof of open transparent automated tests which can be verified by a third party before using any vendors encryption.

Goodnight. And may the force "goto" you.

0 comments

[ 4.9 ms ] story [ 13.8 ms ] thread

No comments yet.