back to article OpenSSL releases seven patches for seven vulns

Users are being urged to upgrade OpenSSL to prevent eavesdroppers listening to otherwise encrypted connections undermined through the LogJam vulnerability thought to be the NSA's crypto-cracking tool of choice. OpenSSL maintainers have patched seven vulnerabilities including the LogJam vulnerability (CVE-2015-4000) which …

  1. Anonymous Coward
    Anonymous Coward

    Why would you want to renegotiate to a level lower than what was previously established? This is what I wonder.

    1. DougS Silver badge

      Indeed, that is the sort of 'feature' you'd expect the NSA and GCHQ to insert into the code.

    2. Voland's right hand Silver badge

      Spec says so

      That's what the spec says.

      IMHO, it is more of a case of Hanlon's razor than three letter agency involvement (just look at how much errata and "updates" are on the TLS RFCs).

    3. Lee D Silver badge

      Why would you want to renegotiate the protocol at all?

      Surely an actual change of protocol is so rare, it deserves a full disconnection and reconnection?

      Renegotiate the key, yes. Maybe even renegotiate certain parameters (compression, etc.). But renegotiate the actual protocol?

    4. Antonymous Coward
      Facepalm

      TLS/SSL are broken by design. Both the specifications and the implementations - not the primitives - that's too time consuming. And YES! It was all done (perfectly openly) by the TLAs. That's their job. I'm astonished anyone with enough interest in this field to read the Reg and splaff into these discussions still doesn't fully understand this! It has been an open "secret" since the bloody '90s!

      Here's a little titbit from this very site which you obviously must have missed: http://regmedia.co.uk/2014/05/16/0955_peter_gutmann.pdf

      If still don't understand, try to find some time to read up on the history of the drafting of these protocols. It's all fully documented - how they were drafted by various boffins etc for a whatever quasi-independent committee, dutifully and openly sent off by said committee to the US government for review and special enhancement, returned obviously kludged and borked beyond belief, dutifully ratified by said committee despite a small flurry of squawking from the dismayed boffs... and you know the rest... you're commenting on the most recent instalment of the inevitable and ongoing rewards. Plenty more to come, to (again) surprise and perplex you in due course... watch this space...

  2. This post has been deleted by its author

    1. petur

      Why do so many people use open source and so little people support it? Probably answers your question.

      We're not talking about a big company with millions on the bank, in fact, the 'big ones' have only recently started funding some essential open source core libraries...

    2. Anonymous Coward
      Anonymous Coward

      "It doesn't take that long to write and test patches."

      Wow and double wow, sweeping statement or what. Typical freetard mentality, I don't want to pay but I want it yesterday!

      Given that OpenSSL is staffed by volunteers, why don't you volunteer yourself and show them how it's done. I mean how hard can it be? </sarcasm>

      1. This post has been deleted by its author

        1. Blane Bramble

          First you say:

          I don't like running with a known vulnerability in my SSL stack for two days, let alone two months. It doesn't take that long to write and test patches.

          and then later:

          The OpenSSL team owe me nothing, and for all I care can stop their work today - I have the source I need

          Then why didn't you fix it yourself, genius?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020