Skip to navigation
Latest News

Heartbleed: LibreSSL scrubs "irresponsible" OpenSSL code

Heartbleed

By Jane McCallion

Posted on 22 Apr 2014 at 16:11

A new fork of the OpenSSL project has been created by members of the OpenBSD open-source operating system project in an effort to clean-up the beleaguered cryptographic library.

OpenSSL is currently the most widely used SSL/TLS library on the internet. However, it suffered a major blow to its reputation over the past few weeks thanks to a coding bug known as Heartbleed.

Theo de Raadt, founder and leader of OpenBSD, told PC Pro that LibreSSL was set up as "the OpenSSL team are not responsible software developers".

"I don't know what their defect is ... [but] they never remove deprecated junk in their tree and they are very ineffective at getting reported bugs fixed in a timely fashion," he said.

de Raadt claims those working on LibreSSL have already removed 90,000 lines of C code and 150,000 lines of code from OpenSSL, most of which either refers to niche applications or was scheduled for deletion but never actually expunged.

He also told PC Pro that LibreSSL will initially be made "for [OpenBSD’s] own purposes, using the same process that resulted in OpenSSH".

Its first inclusion into an operating system will be in OpenBSD 5.6.

"At some point, we expect an effort will occur to make it available to other operating systems. I suspect quite a mass of people will join to help that, in particular people who care about those other operating systems," said de Raadt.

However, the OpenBSD team are "not promising anything to anyone yet", he cautioned.

While LibreSSL does have an official website, content is currently pretty scant. "At the moment we are too busy deleting and rewriting code to make a decent web page," the page reads.

However, a third-party blog called OpenSSL Valhalla Rampage has been set up for those wanting to keep up with every step of the project as it progresses.

Subscribe to PC Pro magazine. We'll give you 3 issues for £1 plus a free gift - click here
User comments

Uh oh...

Software development is littered with the bones of teams who thought "we can do better than the existing code, which is horrible".

'Legacy' source code always looks nasty, but a lot of the nastiness is
for edge and corner cases that the new dev. team haven't yet encountered, or to work around compiler bugs and so on.

They say "remove code for niche applications", and I read "break niche applications".

The idea that lots of talented developers will come and help is naïve at best - "if you build it, they will come" only works for Kevin Costner.

My main concern would be the fundamental attitude of "code first, documentation second" indicated by their approach to updating the project web site. The same applies to OpenSSL (see the 'STILL INCOMPLETE' on http://www.openssl.org/docs/).

By ElectronShepherd on 22 Apr 2014

@ElectronShepherd

You raise some valid concerns, however the developers do point out that they are not creating a replacement for OpenSSL, but something for their own use. In this case their approach may well be valid.

By tirons1 on 22 Apr 2014

@ElectronShepherd - Define Legacy...

Legacy used to mean software written on pre-GUI OSes. If you are referring to that true legacy code, then you are WRONG. Coders of those eras were trained in the art of system building with all the prerequisites involved.

With the upsurge of Java and other "coders" much of the quality and systems approach went out the window leaving an inordinate amount of techies who couldn't design a cardboard box.

By twatkiller on 24 Apr 2014

@ElectronShepherd - Define Legacy...

Legacy used to mean software written on pre-GUI OSes. If you are referring to that true legacy code, then you are WRONG. Coders of those eras were trained in the art of system building with all the prerequisites involved.

With the upsurge of Java and other "coders" much of the quality and systems approach went out the window leaving an inordinate amount of techies who couldn't design a cardboard box.

By twatkiller on 24 Apr 2014

@ElectronShepherd - Define Legacy...

Legacy used to mean software written on pre-GUI OSes. If you are referring to that true legacy code, then you are WRONG. Coders of those eras were trained in the art of system building with all the prerequisites involved.

With the upsurge of Java and other "coders" much of the quality and systems approach went out the window leaving an inordinate amount of techies who couldn't design a cardboard box.

By twatkiller on 24 Apr 2014

Just jargon

Oh why can't the writers of articles like this “Heartbleed: LibreSSL scrubs "irresponsible" OpenSSL code” use plain English? Most PC users are not boffins but people who read these articles in order to try to keep their PC's safe, then they come against all the abbreviations, e.g., SSL, TLS BSD, SSH etc, what on earth are all these? By half way through most folk are fed up of not understanding the jargon and close the page, ensuring that only the in-crowd get the message.

By tyler4402 on 24 Apr 2014

Arrogant, Ignorant, Or Just Lazy?

As a matter of fact, it is good writing practice to include the fully expanded meaning of an acronym in parentheses following the first use, so it should be; "SSL (Secure Socket Layer)" followed by "SSL" subsequently. This should occur for every separate publication - the writer should not assume that people will know the meaning of an acronym perhaps defined in a separate publication.

Moreover, excuse me, but is this web page not using HTML (Hyper-Text Markup Language)? The whole idea was to be able to more easily include references in exactly this way. It is pure laziness, of course. The writer, or editor will complain that they don't have the time to do the extra work. My response to that is that there is plenty of unemployment and there are a lot of young, educated, eager young people who perhaps might be prepared to be less jaded...

By Klobba on 25 Apr 2014

Leave a comment

You need to Login or Register to comment.

(optional)

advertisement

Latest Blog Posts Subscribe to our RSS Feeds
Latest ReviewsSubscribe to our RSS Feeds
Latest Real World Computing

advertisement

Sponsored Links
 
SEARCH
Loading
WEB ID
SIGN UP

Your email:

Your password:

remember me

advertisement


Hitwise Top 10 Website 2010
 
 

PCPro-Computing in the Real World Printed from www.pcpro.co.uk

Register to receive our regular email newsletter at http://www.pcpro.co.uk/registration.

The newsletter contains links to our latest PC news, product reviews, features and how-to guides, plus special offers and competitions.