Reclaiming OpenSSL – It Starts with Us

OpenSSL is in big trouble. Heartbleed got a lot of people talking, and some are taking action. The latest security advisories from OpenSSL may not look as bad, but are still sobering  nevertheless. We, the professionals in the field of software technology, need to rethink our stance here. Most of us chose indifference, and we allowed ourselves to get caught. Shame on us. We had a lot of warnings. And the vast majority of us, well, we ignored them. We joked, re-tweeted some amusing quotes about the quality of its code, and about the people behind it. And then moved on to our daily jobs, untroubled as to what it really meant. Well, here we are now – our imaginary bubble of privacy and security popped once again (thanks NSA – we haven’t forgotten about you either). However, it’s also an opportunity to pause in order to confront the brutal facts and learn.

Shaking off the Apathy

The warnings started early, and it wasn’t always about the SSL/TLS infrastructure.  Remember Conficker? Most of us don’t. And that’s alarming.  Unleashed in 2008, it’s still a shark in a swimming pool, albeit a passive one for now. No one knows where it came from (Ukraine?), or what the intent was. At the height of Conficker activity, the most basic aspects of the Internet architecture suddenly looked like a house of cards. Most experts are of the opinion that it’s been trapped in the ever active sinkholes, and that it’s no longer able to call home and communicate with the  command-and-control servers. Or so we think. The fact is, various estimates put the number of nodes affected at 12 million or so as of today. And it’s still out there, lurking, waiting. We hope that it’s code base will die of obsolescence, but how long do we have?

Now enter the NSA, and it’s holier than thou attitude, and it’s negligent belligerence that undermined the very products that were supposed to provide us with privacy and security online. We knew that the metaphorical house that we live in stands on a rotten foundation. But we are still working to cram more belongings in there – the Internet of Things, the phones, the tablets, our cars, our medical devices, and who knows what else – it all promises to make our lives easier and more convenient. But for how long are we going to choose convenience above all? The most important lesson here is that it’s time we woke up as professionals, and cast aside the apathy, the indifference and the “it’s not my job” attitude. OpenSSL can be made better as a result, and step by step, our overall interconnected world.

OpenSSL had been in trouble for a long time

OpenSSL had been criticized before, and often. Some even said that “OpenSSL is written by monkeys“. I had some first hand experience with the OpenSSL source code around 2005. I spent a lot of time – days – trying understand how Certificate Revocation Lists are handled. It was a dark place –  a trap of #ifdef 0 or if(0) blocks, vague and lengthy functions with names that have no relation to what’s going on, and lots and lots of ‘what were they thinking’ moments. I gave up.

The sad thing is, here we are, almost a decade later, reaping what we sown. And that feels pretty bad. Not only because we got caught in our own complacency, but because the picture was clear for over the decade. And I chose to do nothing.

So, what now?

Action. It’s time to act. There are lots of ideas tossed around, but I hope that all the talk will be followed by action. Some called to abandon OpenSSL altogether, some called for investments, some stating that ‘throwing money at OpenSSL’ won’t solve a thing. There are plenty of false prophets with access to media outlets suggesting ridiculous things, like rewriting OpenSSL in C# or Java. I am looking at you, MIT Technology Review. Clear noisemakers aside, I am not sure who’s right and who’s wrong. Personally, I am no longer sitting on the sidelines. I am getting involved – I am doing static code analysis on my own, hoping one day to provide value. I am also fortunate enough to be employed by a very successful technology company. I am working with my employer to explore options for donating funds to the OpenSSL project. Time will tell what will come of it. If not me, then who? If not now, when?

  194 comments for “Reclaiming OpenSSL – It Starts with Us

  1. Pingback: priligy brand name
  2. Pingback: do-posle-psihologa
  3. Pingback: DPTPtNqS
  4. Pingback: qQ8KZZE6
  5. Pingback: D6tuzANh
  6. Pingback: SHKALA TONOV
  7. Pingback: chelovek-iz-90-h
  8. Pingback: tor-lyubov-i-grom
  9. Pingback: film-tor-2022
  10. Pingback: hd-tor-2022
  11. Pingback: Link
  12. Pingback: psy
  13. Pingback:
  14. Pingback:
  15. Pingback: bucha killings
  16. Pingback: War in Ukraine
  17. Pingback: Ukraine
  18. Pingback: site
  19. Pingback: stats
  20. Pingback: Ukraine-war
  21. Pingback: movies
  22. Pingback: gidonline
  23. Pingback: web
  24. Pingback:
  25. Pingback: video
  26. Pingback: film
  27. Pingback:
  28. Pingback: rodnoe-kino-ru
  29. Pingback: sY5am
  30. Pingback: Dom drakona
  31. Pingback: JGXldbkj
  32. Pingback: aOuSjapt
  33. Pingback: ìûøëåíèå
  34. Pingback: psikholog moskva
  35. Pingback: Dim Drakona 2022
  36. Pingback: TwnE4zl6
  37. Pingback: lalochesia
  38. Pingback: video-2
  39. Pingback:
  40. Pingback:
  41. Pingback: 000-1
  42. Pingback: 3SoTS32
  43. Pingback: 3DGofO7
  44. Pingback:
  45. Pingback:
  46. Pingback:
  47. Pingback:
  48. Pingback:
  49. Pingback:
  50. Pingback:
  51. Pingback: sitestats01
  52. Pingback:
  53. Pingback:
  54. Pingback:
  55. Pingback:
  56. Pingback:
  57. Pingback:
  58. Pingback:
  59. Pingback:
  60. Pingback:
  61. Pingback: bep5w0Df
  62. Pingback: www
  63. Pingback: icf
  64. Pingback: 24hours-news
  65. Pingback: rusnewsweek
  66. Pingback: uluro-ado
  67. Pingback:
  68. Pingback: klondayk2022
  69. Pingback: tqmFEB3B
  70. Pingback: Beverly Bultron
  71. Pingback: mangalib
  72. Pingback: Lila Lovely
  73. Pingback: Assignment Writing
  74. Pingback: calendula oil
  75. Pingback: x
  76. Pingback: 9xflix
  77. Pingback: xnxx
  78. Pingback: 123movies
  79. Pingback: Click Here
  80. Pingback: Click Here
  81. Pingback: Click Here
  82. Pingback: Click Here
  83. Pingback: Click Here
  84. Pingback: Click Here
  85. Pingback: Click Here
  86. Pingback: Click Here
  87. Pingback: Click Here
  88. Pingback: Click Here
  89. Pingback: Click Here
  90. Pingback: Click Here
  91. Pingback: Click Here
  92. Pingback: Click Here
  93. Pingback: Click Here
  94. Pingback: Click Here
  95. Pingback: Click Here
  96. Pingback: Click Here
  97. Pingback: Click Here
  98. Pingback: Click Here
  99. Pingback: Click Here
  100. Pingback: Click Here
  101. Pingback: Click Here
  102. Pingback: Click Here
  103. Pingback: Click Here
  104. Pingback: Click Here
  105. Pingback: Click Here
  106. Pingback: spaceros
  107. Pingback: Click Here
  108. Pingback: Click Here
  109. Pingback: Click Here
  110. Pingback: Click Here
  111. Pingback: Click Here
  112. Pingback: Click Here
  113. Pingback: Click Here
  114. Pingback: Click Here
  115. Pingback: Click Here
  116. Pingback: Click Here
  117. Pingback: 카지노사이트
  118. Pingback: Click Here
  119. Pingback: Click Here
  120. Pingback: Click Here
  121. Pingback: Click Here
  122. Pingback: Click Here
  123. Pingback: Click Here
  124. Pingback: Click Here
  125. Pingback: Click Here
  126. Pingback: Click Here
  127. Pingback: Click Here
  128. Pingback: Click Here
  129. Pingback: Click Here
  130. Pingback: Click Here
  131. Pingback: kinokrad
  132. Pingback: batmanapollo
  133. Pingback: premium-domains
  134. Pingback: start a business
  135. Pingback: Google reviews
  136. Pingback: Becoming Porn star
  137. Pingback: vsovezdeisrazu
  138. Pingback: 2023 Books

Comments are closed.