undefined | Better HN

0 pointslucideer4y ago0 comments

Sibling commenters have already pointed out you're confusing OpenSSH with OpenSSL.

For additional context, since the gp mentioned that:

> the OpenBSD folks, who have a shockingly good track record

Not only is OpenSSH a BSD project, but so is LibreSSL (the OpenSSL fork that was a response to Heartbleed). Before LibreSSL, BSD folk were also working on assl - similarly an OpenSSL alternative motivated by the BSD guys having concerns about OpenSSL's codebase. So they very much have a solid track record of being pro-actively on top of this type of stuff.

0 comments

1 comments · 1 top-level

tialaramex4y ago

However, on that note it's worth taking a moment to look at recent OpenSSL bugs and compare LibreSSL and see that unsurprisingly (to me anyway) the OpenBSD people did not magically fix the bugs in hairy C code. Once Libressl had taken out the unnecessary stamp collecting from OpenSSL (crypto algorithms you will never need, feature switches left over from experiments a decade ago, etc.) it did not in fact evolve the rest of the codebase as much as you might imagine.

If you've found a bug in pre-fork OpenSSL core material (not the stamp collecting), chances are that it still works in all the forks, none of them have the beyond wizard level competence to rewrite somebody's micro-optimised ECDHE implementation in a way that non-wizards can review, so even if they replaced it they'd just be swapping possibly-incorrect wizard magic for different possibly-incorrect wizard magic and what's the point of that?

j / k navigate · click thread line to collapse