From: Ben Laurie <ben@gonzo.ben.algroup.co.uk>
Date: Fri, 29 Nov 1996 11:03:57 -0800 (PST)
To: cypherpunks@toad.com
Subject: SSLeay security
Message-ID: <9611291800.aa00402@gonzo.ben.algroup.co.uk>
MIME-Version: 1.0
Content-Type: text/plain


It seems I have expressed myself poorly. My point was that, as far as I am
aware, SSLeay has not been widely reviewed. A lot of people use it, sure, but
that is not review.

Since there are obvious defects in the code, from a security point of view,
such as failure to scrub keys, it wouldn't get a clean bill of health from me.

Of course, these kinds of defects require other defects in the user's security
policy (such as running on an operating system which permits free access to
memory) to exploit.

There may or may not be worse problems. I don't know. And I won't know until
either it becomes important to me, someone pays me to find out, or someone else
points them out.

I'm not saying that I'm aware of defects which are not obvious but my
experience in using it suggests that it may have them - it isn't that hard to
crash, and where there are crashes lurk possible security holes. Tracking
these down is where it stops being fun. At least for me.

Cheers,

Ben.

-- 
Ben Laurie                Phone: +44 (181) 994 6435  Email: ben@algroup.co.uk
Freelance Consultant and  Fax:   +44 (181) 994 6472
Technical Director        URL: http://www.algroup.co.uk/Apache-SSL
A.L. Digital Ltd,         Apache Group member (http://www.apache.org)
London, England.          Apache-SSL author