OpenSSL to LibreSSL

I’ve noticed this tweet from @sam_nazarko:
https://twitter.com/SamNazarko/status/638029673780277249

I can’t deliberately explain why you’d REALLY need this, as I’m not that super-much of a security guy. Anyway, I’ve been told by my teacher at the University of Amsterdam to move over to LibreSSL when using implementations of OpenSSL as LibreSSL supposedly contains dramatically less security flaws.

Erm so move away from a mainstream lib that HAS had some issues just becuase to a minor lib

again no app is totally secure

http://www.cvedetails.com/product/30688/Openbsd-Libressl.html?vendor_id=97

there are flaws in almost all of the apps we use today its just a matter of finding em, so i rather stick with the devil and the known issues that openssl has then go to a lesser fork with lesser devs.

The decision to change SSL Library was not done for security reasons, although that was a pleasant byproduct. We did it for better cURL compatibility.

When comparing:

http://www.cvedetails.com/product/383/Openssl-Openssl.html?vendor_id=217 (58 issues in 2014 + 2015)

to:

http://www.cvedetails.com/product/30688/Openbsd-Libressl.html?vendor_id=97 (being 1 in two years)

the statistics do show quite a difference. Just from looking at numbers, without any context, I can see where the teacher is coming from. Like I said, I’m not a security guy. But I can imagine that LibreSSL being rewritten, modern techniques may be applied for snappier software.

quote from the latest releasenotes:

The LibreSSL project continues improvement of the codebase to reflect modern,
safe programming practices. - http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.2.5-relnotes.txt

But is that because far fewer people are using LibreSSL and thus fewer issues found?

Good point, but this should implicitly mean that, since openssl is a broader used implementation of TLS, you’d be relatively safer by using something that’s less used (and thus less likely to be targeted to hackers) whilst being even “better” (core is the same, openssl patches are nearly instantly applied and ‘recent programming techniques’ are applied)

its not gonna happen so please give it up.

Just trying to help in any way I can. Don’t mind me.

I don’t subscribe to the idea of security by obscurity.

I keep an eye on these things, and right now I would say that OpenSSL will see more vigorous real world testing than LibreSSL. OpenSSL also has more stable development at the moment
Sam

1 Like

Alright, thank you for your response. I can understand your point of view.