> I am wondering just how bad openssl is ? While one can find various software engineer faults, I think that main issue is not that it is "bad," it is that OpenSSL is written for cryptographic experts not standard software developers.
The unfortunate thing is that most of the time the latter have no other choice but to use OpenSSL; in a perfect world they would be isolated from it by workflow-specific APIs that prevent them from shooting themselves in the foot too easily. Von On Oct 26, 2012, at 2:29 PM, John Case wrote: > > I was recently reading "the most dangerous code in the world" article at > stanford: > > https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html > > and found the hackernews discussion: > > http://news.ycombinator.com/item?id=4695350 > > (interesting discussion and argument about curl library and how often it is > badly deployed) > > And the hackernews discussion led me to "OpenSSL is written by monkeys": > > http://www.peereboom.us/assl/assl/html/openssl.html > > > So, given what is in the stanford report and then reading this rant about > openssl, I am wondering just how bad openssl is ? I've never had to > implement it or code with it, so I really have no idea. > > How long has it been "understood" that it's a mess (if it is indeed a mess) ? > How dangerous is it ? > > It looks like the rant was published in 2009 .... > _______________________________________________ > cryptography mailing list > cryptography@randombit.net > http://lists.randombit.net/mailman/listinfo/cryptography _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
