* this is the perfect example why Open Source code can't be a religion in which we have to 'believe' and have 'faith' in. Openssl is often hailed as one of the perfect examples of why Open source code works and why it is supposed to be safer. This is the perfect example of why Openssl in its present business- and development process is broken and why any software that has a critical function for our privacy and security can't be only opensource. What I mean is that there have to be real people behind them, real researchers, real projectmanagers and these people will have to be paid (enough to stay).
One can not continue to believe that the sole fact that you put code on the internet in open source is the only thing one should do to be sure that the code has been controlled and that the 'masses' will continue all the time with researching and recoding the product and code in all of its facets and complexities. People have lives and people have many things to do in their lives and helping out with some open source ideas and projects is only one of them.
Here I come to my opposition from the beginning for putting the Belgian EID and evoting software totally online. If you look at the number of participants and the ameliorations, you won't say that the risk is worth the total transparancy. I have more trust in trained and experienced testers who do nothing else every day and have the liberty and resources to go as thorough as they want (if you let them) than in the 'mystical community'.
This is not to say that there should be no input or that code and projects can't be started by the community but they should be done according to best practices on a stabilised common platform and with permanent logging and testing of what each has done and should do and where there are clear responsabilities and a decision-making process.
THis is why I have far more trust in opensource projects which have a businessmodel in which organisations and firms can pay for services and development and who can hire the coders and the project managers for the setting up of all those tests, norms and consultations than in a 'ghost town' code that has been dumped on the internet as the cheapiest way to get somebody to work on it. Especially when it comes to code that is so critically important that it could change the way we live or we trade.
Off course another thing is that firms and public organisation opensource the code they are developing inside the company or organisation or make it accessable to partners on specific terms in which the cost for the managment of the code and the project can be lowered an in which specific code developed for one firm or organisation also is available for the other partners.
The fact remains that the leakage has been discovered after two years by independent researchers (nobody of the openssl community saw it) and that it is a buffer overrun (there are thousands of software that control code against such things) and a memory leak (something that is the most freaking leak in any encryption environment because it has been one of the most used bypasses of encryption untill now).
I rest my case because it speaks for itself.
But I do like firefox, splunk, snort, tripwire, metasploit, centos, apache among others
2. Somebody has to state clearly that the use of openssl is also the result of the wish to make stupid economies on even the most essential parts of a softwarepackage. There are other SSL packages who may cost some money but the money that you have spared is nothing compared to the loss of trust and the thousand of manhours spent on upgrades and patching and checking logs and so on. There is no possibility that anyone will be capable to calculate the total cost of this vulnerability to the economy (manhours and investments) and the society (manhours spent in changing passwords again).
You shouldn't use a free product because it is free. You should use it because it is the best Return on Investment and in some environments the risks of any problem with the code, implementation or patching is so great that there is never a Return on Investment that will be acceptable to any organisation that treats with data of thousands or millions of people and businesses or organisations.
When I think about the organisations and the kind of data that make use of openssl I always get the creeps. I always think by myself, all good and well but what if something goes wrong because than it could go very wrong.
Maybe somebody should say that if you use or treat that kind of data that you aren't allowed to use that kind of software without any servicemanagment and rechecking of the code every time which will in any case make it more expensive than the normal commercial code that is available.
3. What will we do with the infrastructure that doesn't get an update and will be attacked and will leak our data without ever informing their users that for one reason or another they didn't do a thing. It took years to get the corrupted certificates through another linuxsecurityproblem out of the network. It will take years before every possible impacted installation is updated and upgraded and has re-issued its certificate.
Shouldn't we upgrade our browser so that they will warn us if a server is still impacted and that anyway will be able to intercept our passwords from the memory with a very simple code ? Shouldn't hosters oblige their clients to put it in order or be transferred to an unsafe zone where 'unsafe administrators' are put in a zoo where they can have less impact on safe servers but will see the devastating effects of negligence by others. In the hope they ask asylm and sign a contract in which they promise to pay more attention or money for their own security.