[cryptography] Just how bad is OpenSSL ?

Jeffrey Walton noloader at gmail.com
Tue Oct 30 07:09:17 EDT 2012


On Tue, Oct 30, 2012 at 5:03 AM, Ben Laurie <ben at links.org> wrote:
> On Mon, Oct 29, 2012 at 10:34 PM, Jeffrey Walton <noloader at gmail.com> wrote:
>> On Fri, Oct 26, 2012 at 2:29 PM, John Case <case at sdf.org> wrote:
>>>
>>> [SNIP]
>
> Apparently you think the best way to get a secure platform is to apply
> pressure through pointless security standards. I'd suggest your
> efforts might be better spent supplying patches instead. Or, y'know,
> talking to the authors of the s/w in question. You never know, they
> might care.
I'm not sure I agree some defenses are pointless. For example,
attackers are very clever at building exploits such as ROP gadgets.
ASLR and DEP are two of the better defenses we have in this case when
a program failed its initial mission of no bugs. I'm not convinced a
second line of defense is pointless. And I am aware of userland and
kernel leaking addresses at times - I'm just not willing to throw the
baby out with the bath water.

Jeff



More information about the cryptography mailing list