[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
SSLeay security
It seems I have expressed myself poorly. My point was that, as far as I am
aware, SSLeay has not been widely reviewed. A lot of people use it, sure, but
that is not review.
Since there are obvious defects in the code, from a security point of view,
such as failure to scrub keys, it wouldn't get a clean bill of health from me.
Of course, these kinds of defects require other defects in the user's security
policy (such as running on an operating system which permits free access to
memory) to exploit.
There may or may not be worse problems. I don't know. And I won't know until
either it becomes important to me, someone pays me to find out, or someone else
points them out.
I'm not saying that I'm aware of defects which are not obvious but my
experience in using it suggests that it may have them - it isn't that hard to
crash, and where there are crashes lurk possible security holes. Tracking
these down is where it stops being fun. At least for me.
Cheers,
Ben.
--
Ben Laurie Phone: +44 (181) 994 6435 Email: [email protected]
Freelance Consultant and Fax: +44 (181) 994 6472
Technical Director URL: http://www.algroup.co.uk/Apache-SSL
A.L. Digital Ltd, Apache Group member (http://www.apache.org)
London, England. Apache-SSL author