[cryptography] Just how bad is OpenSSL ?

Von Welch von at vonwelch.com
Mon Oct 29 17:29:24 EDT 2012


> I am wondering just how bad openssl is ? 

While one can find various software engineer faults, I think that main issue is not that it is "bad," it is that OpenSSL is written for cryptographic experts not standard software developers.

The unfortunate thing is that most of the time the latter have no other choice but to use OpenSSL; in a perfect world they would be isolated from it by workflow-specific APIs that prevent them from shooting themselves in the foot too easily.

Von

On Oct 26, 2012, at 2:29 PM, John Case wrote:

> 
> I was recently reading "the most dangerous code in the world" article at stanford:
> 
> https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html
> 
> and found the hackernews discussion:
> 
> http://news.ycombinator.com/item?id=4695350
> 
> (interesting discussion and argument about curl library and how often it is badly deployed)
> 
> And the hackernews discussion led me to "OpenSSL is written by monkeys":
> 
> http://www.peereboom.us/assl/assl/html/openssl.html
> 
> 
> So, given what is in the stanford report and then reading this rant about openssl, I am wondering just how bad openssl is ?  I've never had to implement it or code with it, so I really have no idea.
> 
> How long has it been "understood" that it's a mess (if it is indeed a mess) ?  How dangerous is it ?
> 
> It looks like the rant was published in 2009 ....
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography




More information about the cryptography mailing list