Heartbleed: LibreSSL scrubs "irresponsible" OpenSSL code

22 Apr 2014
Heartbleed

OpenBSD team scrubs 90,000 lines of code from encryption library

A new fork of the OpenSSL project has been created by members of the OpenBSD open-source operating system project in an effort to clean-up the beleaguered cryptographic library.

OpenSSL is currently the most widely used SSL/TLS library on the internet. However, it suffered a major blow to its reputation over the past few weeks thanks to a coding bug known as Heartbleed.

Theo de Raadt, founder and leader of OpenBSD, told PC Pro that LibreSSL was set up as "the OpenSSL team are not responsible software developers".

"I don't know what their defect is ... [but] they never remove deprecated junk in their tree and they are very ineffective at getting reported bugs fixed in a timely fashion," he said.

de Raadt claims those working on LibreSSL have already removed 90,000 lines of C code and 150,000 lines of code from OpenSSL, most of which either refers to niche applications or was scheduled for deletion but never actually expunged.

He also told PC Pro that LibreSSL will initially be made "for [OpenBSD’s] own purposes, using the same process that resulted in OpenSSH".

Its first inclusion into an operating system will be in OpenBSD 5.6.

"At some point, we expect an effort will occur to make it available to other operating systems. I suspect quite a mass of people will join to help that, in particular people who care about those other operating systems," said de Raadt.

However, the OpenBSD team are "not promising anything to anyone yet", he cautioned.

While LibreSSL does have an official website, content is currently pretty scant. "At the moment we are too busy deleting and rewriting code to make a decent web page," the page reads.

However, a third-party blog called OpenSSL Valhalla Rampage has been set up for those wanting to keep up with every step of the project as it progresses.

Read more

News