undefined | Better HN

0 pointsShish2k11y ago0 comments

Considering how widely SSL is used, and the resources of Google, I wonder if they could come up with their own encryption toolkit? How hard can it be for a company the size of Google to create a library that lives up to eg SQLite's quality standards?

0 comments

plorkyeran11y ago

Fix OpenSSL, and everyone that currently uses OpenSSL benefits. Create a new library that's clearly better than OpenSSL, and ten years later there will still be important things that still haven't switched.

danudey11y ago

I would say that Joel Spolsky answers this quite well:

http://www.joelonsoftware.com/articles/fog0000000069.html

What would be interesting to see is a fork of OpenSSL with the intention of cleaning up the code, removing abstractions where they are unnecessary and adding them where they are, and adding a comprehensive test suite to ensure correct behaviour wherever possible.

thrownaway242411y ago

Google has already written and released a complete crypto stack for Go. Where you restricting your comments to C/C++ implementations?

richm4411y ago

The last time I looked at it the go stack was very weak compared to any of the mature C SSL stacks. IIRC it only took me a few minutes to find a security bug (which I reported and is now fixed) that I'd reported against various browsers several years earlier. In short, I highly doubt the go SSL stack is production ready.

thrownaway242411y ago

The above questioner didn't ask whether it was any good, only whether Google could write and release one.

Raphael11y ago

Good point. Though it only claims to "partially implement TLS 1.2". http://golang.org/pkg/crypto/tls/

chc11y ago

The real question is, how hard can it be to do that while starting with OpenSSL compared to starting from scratch?

j / k navigate · click thread line to collapse

0 comments

plorkyeran11y ago

danudey11y ago

I would say that Joel Spolsky answers this quite well:

http://www.joelonsoftware.com/articles/fog0000000069.html

thrownaway242411y ago

Google has already written and released a complete crypto stack for Go. Where you restricting your comments to C/C++ implementations?

richm4411y ago

thrownaway242411y ago

The above questioner didn't ask whether it was any good, only whether Google could write and release one.

Raphael11y ago

Good point. Though it only claims to "partially implement TLS 1.2". http://golang.org/pkg/crypto/tls/

chc11y ago

The real question is, how hard can it be to do that while starting with OpenSSL compared to starting from scratch?

j / k navigate · click thread line to collapse