06/25/2014

Google says there are more than 70 patches needed in Openssl and makes its own opened ssl

as even more very old and very fundamental mistakes in openssl are being discovered, there is an even more fundamental question that needed to be answered

how is it possible that all those coders didn't see all those bugs and vulnerabilities before

the answer is even more astonishing than the problem

sometimes they did but openssl couldn't implement the patches or fixes or close the holes because they had to be compatible with so many systems and so on that it wasn't possible (or affordable) to do so

Google in its posting said that it implimented 70 patches of its own on its own version of Openssl but that openssl itself was not always capable of implementing them

but as many of its partners are now leaving openssl and looking for alternatives many have asked Google for their own version of openssl that they have decided to put it today at the disposal of the community

https://boringssl.googlesource.com/boringssl/+/master

they are going to use it for chrome and Android soon

https://www.imperialviolet.org/2014/06/20/boringssl.html

which means also that some in the Google community have no confidence that the money that Google and others are now investing in a foundation to pay for the cleanup of the openssl code and the implementation of the fixes will be too late and that too many things will stay vulnerable because it ain't possible to implement it for all the users

it is another way to say that if the technological industry doesn't invest much more in openssl it won't make a difference and that opensll should be abandoned if you are really serious about your own security and that of your clients and their transactions

and just as with openssl this doesn't mean that the code is any safer, it is only as safe as there are enough people working only at that code with all the knowledge and checks that are necessary to keep code clean

Permalink | |  Print |  Facebook | | | | Pin it! |

The comments are closed.