OpenSSL to LibreSSL

RowanKaag · 13 December 2015 21:04

I’ve noticed this tweet from @sam_nazarko:
https://twitter.com/SamNazarko/status/638029673780277249

I can’t deliberately explain why you’d REALLY need this, as I’m not that super-much of a security guy. Anyway, I’ve been told by my teacher at the University of Amsterdam to move over to LibreSSL when using implementations of OpenSSL as LibreSSL supposedly contains dramatically less security flaws.

Toast · 13 December 2015 22:14

Erm so move away from a mainstream lib that HAS had some issues just becuase to a minor lib

again no app is totally secure

there are flaws in almost all of the apps we use today its just a matter of finding em, so i rather stick with the devil and the known issues that openssl has then go to a lesser fork with lesser devs.

sam_nazarko · 13 December 2015 23:48

The decision to change SSL Library was not done for security reasons, although that was a pleasant byproduct. We did it for better cURL compatibility.

RowanKaag · 14 December 2015 00:00

When comparing:

Openssl Openssl : CVE security vulnerabilities, versions and detailed reports (58 issues in 2014 + 2015)

to:

Openbsd Libressl : CVE security vulnerabilities, versions and detailed reports (being 1 in two years)

the statistics do show quite a difference. Just from looking at numbers, without any context, I can see where the teacher is coming from. Like I said, I’m not a security guy. But I can imagine that LibreSSL being rewritten, modern techniques may be applied for snappier software.

RowanKaag · 14 December 2015 00:03

quote from the latest releasenotes:

The LibreSSL project continues improvement of the codebase to reflect modern,
safe programming practices. - http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.2.5-relnotes.txt

jb2cool · 14 December 2015 09:54

But is that because far fewer people are using LibreSSL and thus fewer issues found?

RowanKaag · 14 December 2015 10:30

Good point, but this should implicitly mean that, since openssl is a broader used implementation of TLS, you’d be relatively safer by using something that’s less used (and thus less likely to be targeted to hackers) whilst being even “better” (core is the same, openssl patches are nearly instantly applied and ‘recent programming techniques’ are applied)

Toast · 14 December 2015 14:58

its not gonna happen so please give it up.

RowanKaag · 14 December 2015 16:42

Just trying to help in any way I can. Don’t mind me.

sam_nazarko · 15 December 2015 00:10

I don’t subscribe to the idea of security by obscurity.

I keep an eye on these things, and right now I would say that OpenSSL will see more vigorous real world testing than LibreSSL. OpenSSL also has more stable development at the moment
Sam

RowanKaag · 15 December 2015 21:13

Alright, thank you for your response. I can understand your point of view.