1996-11-29 - SSLeay security

Header Data

From: Ben Laurie <ben@gonzo.ben.algroup.co.uk>
To: cypherpunks@toad.com
Message Hash: 4b4cae120ce6ef4f3f04564cb0e06157d4b3f3221bacfdb458197998ada95175
Message ID: <9611291800.aa00402@gonzo.ben.algroup.co.uk>
Reply To: N/A
UTC Datetime: 1996-11-29 19:03:57 UTC
Raw Date: Fri, 29 Nov 1996 11:03:57 -0800 (PST)

Raw message

From: Ben Laurie <ben@gonzo.ben.algroup.co.uk>
Date: Fri, 29 Nov 1996 11:03:57 -0800 (PST)
To: cypherpunks@toad.com
Subject: SSLeay security
Message-ID: <9611291800.aa00402@gonzo.ben.algroup.co.uk>
MIME-Version: 1.0
Content-Type: text/plain


It seems I have expressed myself poorly. My point was that, as far as I am
aware, SSLeay has not been widely reviewed. A lot of people use it, sure, but
that is not review.

Since there are obvious defects in the code, from a security point of view,
such as failure to scrub keys, it wouldn't get a clean bill of health from me.

Of course, these kinds of defects require other defects in the user's security
policy (such as running on an operating system which permits free access to
memory) to exploit.

There may or may not be worse problems. I don't know. And I won't know until
either it becomes important to me, someone pays me to find out, or someone else
points them out.

I'm not saying that I'm aware of defects which are not obvious but my
experience in using it suggests that it may have them - it isn't that hard to
crash, and where there are crashes lurk possible security holes. Tracking
these down is where it stops being fun. At least for me.

Cheers,

Ben.

-- 
Ben Laurie                Phone: +44 (181) 994 6435  Email: ben@algroup.co.uk
Freelance Consultant and  Fax:   +44 (181) 994 6472
Technical Director        URL: http://www.algroup.co.uk/Apache-SSL
A.L. Digital Ltd,         Apache Group member (http://www.apache.org)
London, England.          Apache-SSL author





Thread