Feeds

Thanks for nothing, OpenSSL, grumbles stonewalled De Raadt

OpenBSD grump it isn't in the cool kids infosec club

Using blade systems to cut costs and sharpen efficiencies

OpenBSD founder Theo De Raadt said OpenSSL maintainers appeared to have intentionally not informed it about dangerous vulnerabilities found in the platform and patched today.

The apparent feud stems from the April break away LibreSSL which was forked after developers found the OpenSSL code base to be unacceptably insecure in the wake of the Heartbleed vulnerability.

LibreSSL would still contain OpenSSL vulnerabilities such as the most recent DTLS invalid fragmentation bug (CVE-2014-0195) and rely on early tip offs to ensure it could build a patch for the day of public disclosure.

That bug was one of six to affect OpenSSL which permitted eavesdropping on encrypted connections and the implanting of malware on vulnerable systems.

Disclosure to LibreSSL did not happen, leading De Raadt to claim it was part of deliberate stone-walling.

"Most other operating system vendors have patches available, but that is because they were (obviously) given a heads up to prepare them over the last few days," De Raadt wrote in a mailing list post.

"Unfortunately I find myself believing reports that the OpenSSL people intentionally asked others for quarantine (of the bug), and went out of their way to ensure this information would not come to OpenBSD and LibreSSL.

"There, I've said it."

From an ethical standpoint, developers did not need to inform those dependent on vulnerable code of any bugs found ahead of public disclosure but must inform all critical players if they chose to do so and not "specifically exclude a part of the community", he said.

His statements were met with some criticism centered on the original decision to fork OpenSSL rather than working with developers to improve its security.

At the time, De Raadt took abundant critism of apparent OpenSSL security checks due to insufficient resources further by stating the platform was "not developed by a responsible team".

The LibreSSL project aimed to substaintially rewrite the OpenSSL codebase. Thousands of lines of "unneeded" code were deleted while individual source files were rewritten in kernel normal form used by BSD operating systems.

It was planned for incorporation into BSD version 5.6 scheduled for release in November. ®

Boost IT visibility and business value

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.