Ted Unangst: But the good news is, if the size of
socklen_t
changes while your program is running –Bob Beck: OpenSSL will cope!
Ted Unangst: But the good news is, if the size of
socklen_t
changes while your program is running –Bob Beck: OpenSSL will cope!
A (Tumblr!) blog documenting the OpenBSD team’s recently-initiated remodeling of OpenSSL. I hate to be too hard on the OpenSSL developers, since they’ve already gotten more than enough flak these past couple of weeks, but some of the code that’s being chucked out is just horrifying – for example, private key material may sometimes be used as a PRNG entropy source. I know keys look random, but come on.
There’s a hideous irony in Tumblr warning their users to change their passwords in the wake of Heartbleed, when up until recently they didn’t even support HTTPS for anything other than the login page. Transmitting session keys in cleartext cookies after encrypted authentication? Sure!