Is OpenSSL secure... in its dominance?

Is OpenSSL secure... in its dominance?

Summary: All it will take is one major player to endorse LibreSSL as compatible and functional and OpenSSL adoption will crumble.

TOPICS: Security

There are few software libraries as important to the everyday proper function of the Internet as OpenSSL, and yet it is no longer respected. Now that a legitimate free and open source competitor seems to be in the offing, the possibility exists that developers will abandon OpenSSL like rats from a sinking ship.

OpenSSL is not just used for SSL by web sites. All sorts of software with cryptographic needs use it for basic functions. For instance, OpenSSH — written by the same OpenBSD group that is now forking OpenSSL into LibreSSL — uses the OpenSSL libcrypto APIs for basic cryptographic functions that are also used by OpenSSL's libssl, the more famous part.

With so much code using OpenSSL, what they are really dependent upon is not the OpenSSL library itself, but the API. This is why LibreSSL's implementers, while cutting out large parts of the OpenSSL implementation, plan to keep what remains of the APIs compatible. Just put the LibreSSL files where the OpenSSL files were and the program will compile and link properly with the new library.

What does OpenSSL have to save itself, other than inertia?

So, in theory, even a major Linux distribution or VPN could just plug in the new library and should work. The reason they might do this is that OpenSSL has long been known to be a mess, and Heartbleed has given cover to efforts to do something about it.

Look back through the history of open source software and it's not easy to find examples of a code form supplanting a significant program. I asked around among my colleagues and the best example I heard is LibreOffice, the productivity application suite which forked off of OpenOffice and which has passed it in popularity. In fact, many of you who think you are using OpenOffice are actually using LibreOffice.

LibreOffice doesn't provide much guidance for the example of Open/LibreSSL. The users of LibreOffice are users; the users of OpenSSL are programmers. The benefits and detriments of switching office suites may be immediately obvious to the user, while the benefits of switching crypto libraries will be, at least at first, completely theoretical.

And there are cases of software that need the features being stripped out for LibreSSL; software designated for US governmental functions that require FIPS 140-2 support, for example. But Theo de Raadt, the head OpenBSD guy, insists that few inside the US and nobody outside cares about FIPS.

But for the overwhelming majority of applications which don't need the missing functionality, and where the developers appreciate the improvement in quality and security in a simpler, better-written library, LibreSSL may be an easy decision.

If a major program which currently uses OpenSSL were to switch to LibreSSL, that might count as permission for others to follow suit. A major Linux distribution would qualify.

Some of the major developers at issue here, like Red Hat and IBM, are among the few who might actually care about FIPS and the other missing features. But there's no reason they can't include both libraries and a configuration option or linker switch to allow a choice.

A lot of testing needs to be done before any major project takes such a risk, but it makes sense that it would work. What does OpenSSL have to save itself, other than inertia?

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • i dont see why it should be secure ...

    Clearly its bloated and poorly managed. That alone should give pause.
  • Is OpenSSL secure... in its dominance?

    Its a great thing the OpenBSD guys are doing for SSL. I say let Theo clean up the code as OpenBSD has proven itself in the security arena. If Red Hat or IBM needs the FIPS stuff then let their developers add it back in.
    • Mr. Davidson's on a first name basis with Theo de Raadt?!

      Ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha!!!!!
      Rabid Howler Monkey
    • I never ever dreamed that I would find myself in agreement with Loverock ..

      But indeed every pig eventually takes flight. In any case, I agree completely with this particular assertion. And I think it is not very far fetched to expect LibreSSL to get a FIPS patch in order to with finality replace OpenSSL. That will leave OpenSSL with a few niches like DOS and legacy Windows applications which are not so secure in the first place anyway. Apps like LibreOffice on Windows will be stuck with OpenSSL since OpenBSD has no intention of supporting the non-POSIX world. But all of the POSIX world will likely go with LibreSSL before this is over.
      George Mitchell
  • I think your assessment is correct

    OpenSSL is very vulnerable at this point. The developers are going to have to clean up their act in a hurry or others will do it for them.
    John L. Ries
  • So it's another bit of code...

    ...written "by committee"...and what is to say it has been any better vetted then OpenSSL?

    Anyone really know for sure?
    • The OpenBSD project

      more so than any other open source project that I am aware of, incorporates a security development lifecycle in its software development process. And has practiced this on a rather small budget since 1996, which translates to almost 20 years. OpenBSD, an open source project, was over five (5) years ahead of Microsoft' own SDL process.

      I, for one, have great confidence in the the OpenBSD project' ability to significantly improve SSL security in the LibreSSL fork of OpenSSL.

      Anyone really know if and when the GNU/Linux community will step up and improve the security of OpenSSL and GnuTLS?
      Rabid Howler Monkey
      • OpenBSD

        I agree, the OpenBSD guys are the right people to do this.

        If the OpenSSL devs are smart, they'll pull the changes back into their own codebase. Then everyone wins. The removed features (VMS, WIndows, and FIPS support) can be added in speciailized forks only for those that need them. For everyone else, it's just garbage cluttering up a very important library.
      • OpenSSL is pretty butchered

        If you've ever read some of the OpenSSL code, you would not believe it is a security based library.
        OpenSSL has good intentions but poorly managed and executed development.
        Just like OpenOffice, it was not fully baked, kinda 80% there.
        Since it's very hard to get 100% right by part-timers, it's just pushed thru and accepted by the open source world as the standard.
      • OpenSSL and Linux ...

        "Anyone really know if and when the GNU/Linux community will step up and improve the security of OpenSSL and GnuTLS?"

        Remember, OpenSSL uses BSD and Apache license, NOT GPL, so they are not classic Linux developers, more like BSD developers in the first place. So all the drama here is really playing out in the BSD camp and those of us on the Linux side are really just onlookers, but very hopeful onlookers with the legendary OpenBSD team taking on the problem.
        George Mitchell
        • "the Linux side are really just onlookers"

          Let's hope for more from the various corporations that make a ton of money from Linux. Hardware companies (e.g., IBM, HP, Dell, Hitachi), hosting companies (e.g., Rackspace), companies whose infrastructure is built on Linux (e.g., Google, Facebook, Yahoo!, Linked In, Netflix), operating system companies (Apple, Oracle, Red Hat, SUSE, Canonical, Ltd.), ISVs whose enterprise applications run on Linux (e.g., Oracle, SAP), etc. The corporations I just listed should be considered a short list. They all know who they are.

          And let's consider that it was only a few months ago that ZDNet ran this story:

          "Electricity bill threatens survival of OpenBSD"
          January 17, 2014

          It should now be clear that the various BSD projects, especially OpenBSD and FreeBSD, are important members of the greater open source community.
          Rabid Howler Monkey
          • Not Enough Monkeys;

            but, still not a bad circus!
      • GnuTLS of course is a GNU/Linux embarrassment ...

        We have to take responsibility for that one. Hopefully someone will deal with it as well.
        George Mitchell