OpenSSL audit kicks off for post-Heartbleed strengthening program
We can rebuild him. We have the technology. We can make him better...stronger...faster
A major audit of the ubiquitous OpenSSL web security protocol is set to commence under a US$1.2 million industry commitment to harden open source technologies.
OpenSSL is first off the rank under the Linux Foundation’s Core Infrastructure Initiative given its popularity and lack of in-depth security review.
"OpenSSL has been reviewed and improved by the academic community, commercial static analyser companies, validation organisations, and individual review over the years but this audit may be the largest effort to review it, and is definitely the most public," says security outfit Cryptography Services in post announcing their involvement in the audit.
"Serious flaws in OpenSSL cause the whole Internet to upgrade, and in the case of flaws like Heartbleed and EarlyCCS, upgrade in a rush.
"We know that with what may be the highest profile audit conducted on an open source piece of software, the internet is watching."
The audit organised by the Open Crypto Audit Project will first focus on TLS stacks examining protocol flow, state transitions, high-profile cryptographic algorithms, and memory management, the company says.
It will cover a sufficient amount of the codebase to be a "useful component" in the wider effort to secure OpenSSL.
So far some US$3 million has been chalked up under the Core Infrastructure Initiative, thanks to contributions from Amazon, Google, Microsoft, Cisco, and Facebook, all of which have pledged $100,000 a year for three years.
First results of the audit are expected around July. The audit begins on the back of OpenSSL code reviews completed last month launched engineer Matt Caswell says on the realisation that coding was "very unusual", "inconsistently applied" and not formally defined.
The team is also examining the security chops of popular turned possible pariah crypto platform TrueCrypt. Initial checks uncovered some bugs but no sign of a feared backdoor and tests are now being run against random number generators, cipher suites and key algorithms. ®