OpenSSL

Now that the internet is rocking with the OpenSSL flaw news, I took a look at WebPositive on the SSL test site:

https://www.ssllabs.com/ssltest/viewMyClient.html

The WebPositive I’m using on Alpha-3 gave me the following (partial)
result when visiting the test page. I wonder if the TLS compression
has been disabled in the latest WebPositive builds? I don’t have a
machine here to test them …

  • Server Name Indication (SNI) Yes
  • Secure Renegotiation Yes
  • TLS compression Yes INSECURE !!!
  • Session tickets No
  • OCSP stapling No

How about the system libraries for OpenSSL in general (ie relative to Heartbeat bug) ?

Are the Haiku versions OK?

It’s hard to say if OpenSSL is secure :), but Haiku had an older version of OpenSSL that doesn’t contain Heartbleed.

Yes, it’s hard to know what to trust. No where to turn, seemingly. How are you at writing your own encryption? LOL. So — just for grins I compiled curl-7.28 and polarssl-1.3.6 on Haiku r1a3. Since Webpositive was entirely curl based for its network back on r1a3, the upgrade from curl-7.21 to curl-7.28 and the change from openssl to polarssl at first seemed to improve things a fair amount - aside from a serious curl vulnerability seemingly introduced by the newer curl (see my edit, below) . In terms of the SSL, the insecure TLS compression is gone now, the TLS version is higher, and the low grade encryption options are gone. Thusly, when I go to ssl test sites, the grade WebPositive gets is higher due to polarssl. But, the security is bombed, and now is really lower due to curl. Dang that curl! It’s forward one step, and backwards the next :frowning:

Edit: A security flaw was found February/2013 and supposedly affects curl versions from some version (not sure which) up thru 7.28.x - so I suspect that prudence would suggest I upgrade curl to v7.29 or higher in an attempt to find a less vulnerable version. The security flaw allows arbitrary code execution.

With the changeover, there are several sites that give me “BAD CERT” messages and refuse to load, but most https sites load just fine. The few sites that refuse to load now did load with the older curl and openssl. I’m using the polarssl as I write this, yet I don’t know for sure that it’s more secure. Certainly the curl portion isn’t more secure. Change isn’t always good :slight_smile: The openssl brouhaha gave me an inkling to try something else, but whether it’s better or not, is very hard to say. It certainly won’t be better till I change the curl. Anybody have a crystal ball for these things?

The solution could be to upgrade to a recent nightly, but this particular (older) machine won’t run version r1a4+ :frowning:

But…

Really, would the ssl in the nightlies be better? The networking for Web+ was entirely redone in the latest nightlies, and no longer uses curl (as far as I can recall from reading the reports). On the other hand, some of the issues like TLS compression, TLS version, and encryption levels are not curl issues, but are passed through from openssl. I suppose that the older version of openssl is still in the nightlies, so there would be no gain there. Am I correct about that? We surely don’t want the heartbleed that was in very recent openssl distribs though…

With heartbleed, curl exploit, and other gaffs, it seems there’s no way to be sure you’re secure.

I realize that the Haiku people are not recommending Haiku (and neither do I) for anything at all, security-wise implicated or not, simply because Haiku is in alpha state. Yet, I find Haiku is a very friendly platform for running the interesting, random code I find laying about. So, I play around …

If one looks too closely at these security issues, one may stop using the internet altogether! I for one do NO banking on it.

In the open source world, there’s mostly openssl, nss, and gnutls. People tend to go with “what everybody uses”. There’s some rationale there - because it’s standard practice to criticize the use of “non-standard” systems - i.e. “what everybody uses”

Not using the standard system, when things go wrong, is a much more difficult stance to defend. But, there’s a little bit of brain death there in that thinking too. I can’t say whether polarssl is better or not, but it seems like a neat package. Only a few projects currently make use of it, so it’s one of those alternatives that people probably have a “but it’s not-quite-standard stuff” mentality.

Lately, lots of “standard” stuff has been breaking. Curl is considered pretty standard, and so is OpenSSL. The certificate system is considered standard, but many are now crying foul, saying it’s compromised. So, who knows what to do? It’s a crap-shoot game. I’m beginning to think open source is partially responsible. The crooks get the blueprints to work on. Then they exploit. I’m not sure I buy the “thousand eyes” idea anymore, because the crooks can go on offense big-time with the blueprints, and playing defense (the thousand eyes would do that, except that there are really only four) is several times more difficult. Ask any football player.