Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Audits on "secure" communication softwares

JPH jph at hbox.ca
Fri Apr 11 18:12:17 PDT 2014


There's a good discussion on HN (here:
https://news.ycombinator.com/item?id=7575210) regarding the funding for
OpenSSL.

I feel that the bug results from a mix of issues, several stemming from
the lack of funding for developers to treat it more than just a labor of
love. This is software that the Internet heavily relies on for security,
yet it has such a small team and only one guy working on it full time.

Even with funding, as a project, OpenSSL seems to be managed less than
optimally. So I don't see it as a problem of open source, but a problem
of project management, and resources (project contributors, marketing,
outreach) which is ultimately constrained their poor funding.

Of course you can have individual open source developers producing
secure code (ie DJB), but unfortunately they're the exception.

Another issue linked to project management is that "OpenSSL has exploit
mitigation countermeasures to make sure it's exploitable":
http://article.gmane.org/gmane.os.openbsd.misc/211963. This meant that
advances in open source security in libc are ignored, leaving OpenSSL
vulnerable. Allegedly the flag that enables the
"OPENSSL_NO_BUF_FREELISTS" (internal memory management) is the default
that OpenSSL is tested against, and it apparently doesn't pass tests
when the flag is disabled. Fixing this should have been a project
priority, but lack of management and resources meant that it's never
been done.

So when we look at other open source secure communications software that
we rely on, let's also consider how well the project is run, and how
much resources they have to achieve their goals.

JPH

On 04/12/2014 07:08 AM, Percy Alpha wrote:
> The recent news of OpenSSL bug shows no software open source or not can be
> fully trusted.
>
> Do we have audits on secure communication softwares such
> as gpg4win, gpgtools and recent uprising "secure" mobile IMs such as wickr,
> confide, threema and Telegram?
>
> Percy Alpha(PGP <https://en.greatfire.org/contact#alt>)
> GreatFire.org Team
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20140412/b8db24a8/attachment.html>


More information about the liberationtech mailing list