Room 208

Elaborate Burn

Posts from #openssl

The LibreSSL developers discuss OpenSSL’s incredible flexibility in the face of impossible situations:

Ted Unangst: But the good news is, if the size of socklen_t changes while your program is running –

Bob Beck: OpenSSL will cope!

OpenSSL Valhalla Rampage

A (Tumblr!) blog documenting the OpenBSD team’s recently-initiated remodeling of OpenSSL. I hate to be too hard on the OpenSSL developers, since they’ve already gotten more than enough flak these past couple of weeks, but some of the code that’s being chucked out is just horrifying – for example, private key material may sometimes be used as a PRNG entropy source. I know keys look random, but come on.

There’s a hideous irony in Tumblr warning their users to change their passwords in the wake of Heartbleed, when up until recently they didn’t even support HTTPS for anything other than the login page. Transmitting session keys in cleartext cookies after encrypted authentication? Sure!