Yes, it’s hard to know what to trust. No where to turn, seemingly. How are you at writing your own encryption? LOL. So — just for grins I compiled curl-7.28 and polarssl-1.3.6 on Haiku r1a3. Since Webpositive was entirely curl based for its network back on r1a3, the upgrade from curl-7.21 to curl-7.28 and the change from openssl to polarssl at first seemed to improve things a fair amount - aside from a serious curl vulnerability seemingly introduced by the newer curl (see my edit, below) . In terms of the SSL, the insecure TLS compression is gone now, the TLS version is higher, and the low grade encryption options are gone. Thusly, when I go to ssl test sites, the grade WebPositive gets is higher due to polarssl. But, the security is bombed, and now is really lower due to curl. Dang that curl! It’s forward one step, and backwards the next
Edit: A security flaw was found February/2013 and supposedly affects curl versions from some version (not sure which) up thru 7.28.x - so I suspect that prudence would suggest I upgrade curl to v7.29 or higher in an attempt to find a less vulnerable version. The security flaw allows arbitrary code execution.
With the changeover, there are several sites that give me “BAD CERT” messages and refuse to load, but most https sites load just fine. The few sites that refuse to load now did load with the older curl and openssl. I’m using the polarssl as I write this, yet I don’t know for sure that it’s more secure. Certainly the curl portion isn’t more secure. Change isn’t always good The openssl brouhaha gave me an inkling to try something else, but whether it’s better or not, is very hard to say. It certainly won’t be better till I change the curl. Anybody have a crystal ball for these things?
The solution could be to upgrade to a recent nightly, but this particular (older) machine won’t run version r1a4+
But…
Really, would the ssl in the nightlies be better? The networking for Web+ was entirely redone in the latest nightlies, and no longer uses curl (as far as I can recall from reading the reports). On the other hand, some of the issues like TLS compression, TLS version, and encryption levels are not curl issues, but are passed through from openssl. I suppose that the older version of openssl is still in the nightlies, so there would be no gain there. Am I correct about that? We surely don’t want the heartbleed that was in very recent openssl distribs though…
With heartbleed, curl exploit, and other gaffs, it seems there’s no way to be sure you’re secure.