Sign in / up

back to article OpenSSL fixes bug, gets dissed by German gov: That's so random ... not

Days after fixing a rare but dangerous key recovery attack, the developers of OpenSSL have been dealt a fresh blow with a poor review of the technology from a German government agency. An extensive security study and code review on OpenSSL by Sirrix AG (and sponsored by the BSI (Bundesamt für Sicherheit in der …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Anonymous Coward
    Anonymous Coward

    Hopefully more money will be forthcoming?

    Hopefully, the report is the necessary prelude that enables the provision of money and support from the German Government to the team?

    2 1 Reply
    1. Charlie Clark Silver badge
      Reply Icon

      Re: Hopefully more money will be forthcoming?

      The OpenSSL team now has more than enough money. But it still has a codebase that is unnecessarily complicated due to some weird decisions. Code complexity is anathema to security.

      If money is forthcoming, I'd rather see it split between OpenSSL, LibreSSL and research. For server work, LibreSSL already makes more sense unless you have hard dependencies on OpenSSL.

      6 0 Reply
      1. asdf
        Reply Icon

        Re: Hopefully more money will be forthcoming?

        All of this largely turd polishing trying to fix the leaky dyke that is OpenSSL. Its public API exposes far too much of the (mostly poor) implementation and now a bunch of infrastructure is built on it, the genie is out of the bottle. The LibreSSL folks would like to scrap having to support much of the broken ass API (have removed some of the really dumb stuff) but can't due to dependencies. OpenSSL is one of the biggest threats to internet security and will be so for a long time coming.

        7 6 Reply

        1. This post has been deleted by its author

        2. John Sanders
          Reply Icon
          Big Brother

          Re: Hopefully more money will be forthcoming?

          You can replace OpenSSL with sooo many things:

          Internet Explorer "one of the biggest threats to internet security and will be so for a long time coming"

          Java applets "one of the biggest threats to internet security and will be so for a long time coming"

          Flash "one of the biggest threats to internet security and will be so for a long time coming"

          OpenSSL will be fixed have no doubts about that, I have serious doubts about anything else whose source code can not be scrutinized by an independent 3rd party.

          NOTE: I Know both Java applets and Flash are on their way out, that's not the point.

          10 5 Reply
          1. asdf
            Reply Icon

            Re: Hopefully more money will be forthcoming?

            Just because its open source doesn't mean it can be fixed any time soon. Java is open source as well and its still a leaking sieve of CVEs. Still thank goodness for LibreSSL and OpenBSD as the OpenSSL devs instill zero confidence for me.

            0 1 Reply
  2. Anonymous Blowhard

    "The BSI investigates security risks associated with the use of IT and develops preventive security measures"

    Are you sure they're a government agency? The description makes it sound like they actually do something...

    5 0 Reply
    1. GrumpenKraut
      Reply Icon

      > The description makes it sound like they actually do something...

      They actually do quite a lot of good/useful things. Also they do have bright minds. And, yes, a government agency.

      13 0 Reply
  3. Dan Wilkie

    So they're like a German CESG?

    0 0 Reply
    1. GrumpenKraut
      Reply Icon

      Yes (had to look up CESG), that seems pretty much the same. That CESG did MIKEY-SAKKE is giving me bad vibes, though.

      4 0 Reply
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        >That CESG did MIKEY-SAKKE is giving me bad vibes, though.

        Not me. I fancy your lot have been "the good guys" for the last 70yrs or so. Any chance you could get them to design a new phone encryption protocol for us?

        1 0 Reply
  4. Anonymous Coward
    Anonymous Coward

    Need a New Spokesman

    Hire a Syrian refugee and then the Germans won't say a peep.......

    1 11 Reply
    1. allthecoolshortnamesweretaken
      Reply Icon

      Re: Need a New Spokesman

      And your point is what exactly?

      5 0 Reply
      1. Destroy All Monsters Silver badge
        Reply Icon

        Re: Need a New Spokesman

        PEGIDA-kun, please.

        0 0 Reply
  5. allthecoolshortnamesweretaken

    It's always the RNGs, isnt't it? Well, not always. But far to often...

    5 0 Reply
    1. DanDanDan
      Reply Icon

      Yup! I know that in certain applications (router firmware designers, I'm looking at you!) they used C's "rand()" function. During WPA2 auth (WPS in particular), a string of "random" characters is sent in the clear, followed by the "encrypted", sensitive data used for authentication. The rand() function can therefore be brute forced if you know roughly what the seed values will be (especially easy if srand(time(NULL)) is used.

      People never seem to learn!

      0 0 Reply
  6. vmistery

    Until people come together to fully fund a replacement from the ground up it is unlikely to change. Fact is too many very large companies use it as part of their products, they are not going to want to license a replacement as it would cost them a lot of money.

    0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like