Re: On Open Source
From: Henrick Hellström (henrick.hellstrm_at_telia.com)
Date: 05/23/04
- Next message: Henrick Hellström: "Re: On Open Source"
- Previous message: JKop: "Re: Looking for Good Encrytion Software"
- In reply to: Tom St Denis: "Re: On Open Source"
- Next in thread: Lassi Hippeläinen : "Re: On Open Source"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 23 May 2004 14:45:01 GMT
Tom St Denis wrote:
> Ok, I have two boxes in the field box A and box B. How does box A know
> that box B has been revoked? It has to contact a server. So if OpenSSL
> blocked waiting for a server to reply it wouldn't seem very useful...
If you can live with the risk of connecting to a host with a revoked
server certificate, you also have the option to just download the *.crl
frequently instead of using LDAP each time. Even just relying on offline
CA chaining without actively checking the revocation status might be
acceptable for some application and still more practical that using a
priori known server certificates and considerably more secure than not
validating the certificates at all.
> You started this thread stating that OpenSSL had gaping wide security
> holes in it. Then you added a piece about non-experts at the end. If
> you're just gonna take potshots at something at least back up your
> argument.
[snip]
> This isn't something particularly special about OpenSSL.
1. My guess is that a large amount, perhaps even the majority, of client
software that uses OpenSSL for SSL/TLS is not doing any certificate
validation at all.
2. This would have been significantly less likely to have happened if
the *default* behavior of OpenSSL had been to require some sort of
certificate validation to take place.
I stick to my point that this is indeed a security problem, and that it
is a problem with either the design of OpenSSL or with OpenSSL being
perceived as something practically any application developer can use
securely.
It not impossible to design a cryptographic library in such way that it
checks for typical usage errors, and unintentionally using SSL/TLS
without any kind of certificate validation is probably the most common
usage error in the case of any SSL/TLS solution.
> However, that isn't a reason to say "stop using open source libraries!".
> I'm sure if such developers rolled their own crypto they'd get that
> wrong and the system as well. At least if they use a standards adhering
> library they stand a chance of ending up with something secure.
Absolutely. Again, the problem is not that people use open source
libraries, but that using open source libraries is too often stated as
the universal solution to any kind of question asked here, and that this
has resulted in *actual* security problems with people misusing these
libraries. If *anything* should be used as THE standard answer that
would be appropriate as the concluding one liner in any sci.crypt reply
it would rather be "learn more about cryptography" or "hire a
cryptographer".
- Next message: Henrick Hellström: "Re: On Open Source"
- Previous message: JKop: "Re: Looking for Good Encrytion Software"
- In reply to: Tom St Denis: "Re: On Open Source"
- Next in thread: Lassi Hippeläinen : "Re: On Open Source"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
