[cryptography] Just how bad is OpenSSL ?

Ben Laurie ben at links.org
Tue Oct 30 07:23:34 EDT 2012


On Tue, Oct 30, 2012 at 11:09 AM, Jeffrey Walton <noloader at gmail.com> wrote:
> On Tue, Oct 30, 2012 at 5:03 AM, Ben Laurie <ben at links.org> wrote:
>> On Mon, Oct 29, 2012 at 10:34 PM, Jeffrey Walton <noloader at gmail.com> wrote:
>>> On Fri, Oct 26, 2012 at 2:29 PM, John Case <case at sdf.org> wrote:
>>>>
>>>> [SNIP]
>>
>> Apparently you think the best way to get a secure platform is to apply
>> pressure through pointless security standards. I'd suggest your
>> efforts might be better spent supplying patches instead. Or, y'know,
>> talking to the authors of the s/w in question. You never know, they
>> might care.
> I'm not sure I agree some defenses are pointless.

Nor would I, which is why its lucky its not what I said.

> For example,
> attackers are very clever at building exploits such as ROP gadgets.
> ASLR and DEP are two of the better defenses we have in this case when
> a program failed its initial mission of no bugs. I'm not convinced a
> second line of defense is pointless. And I am aware of userland and
> kernel leaking addresses at times - I'm just not willing to throw the
> baby out with the bath water.
>
> Jeff



More information about the cryptography mailing list