What you think of LibreSSL?

16 Antworten [Letzter Beitrag]
GNUser
Offline
Beigetreten: 07/17/2013

I didn't know of this, but apparently OpenSSL has been forked by the OpenBSD team into LibreSSL. Has been so for some time now, I just didn't know of it yet. Their goal is apparently to make it more secure by making the code easier to review by everyone. Modernizing the code, they say. What are your thoughts on this, should we start using LibreSSL, after all the s*** that has been going on with OpenSSL?

GNUser
Offline
Beigetreten: 07/17/2013
tomlukeywood
Offline
Beigetreten: 12/05/2014

sounds like a rely good project

martinh
Offline
Beigetreten: 02/21/2014

most definately !

The OpenBSD team are well known for transparent auditing of their source code,
also for the way they integrate security into an Operating System.
I'd say LibreSSL would be as welcome as OpenSSH (also by the OpenBSD team).

GNUser
Offline
Beigetreten: 07/17/2013

I am speaking from memory here but I think Jacob Appelbaum said in a speech that SSH keys were broken and the NSA had made it not secure... Does that apply to OpenSSH?

As for the transparent audit, I think (again from memory) that Theo de Radt (the main guy behind OpenBSD) had refused to provide the results of an independent review of OpenBSD code... Do you think it would apply to all the guys behind OpenBSD?

I think it is a really good project, don't get me wrong, it's just that OpenBSD has rubbed me off in some strange ways in the past... So I'm asking around for other people's thoughts on this :)

Though I would really love to use OpenBSD if it was made of free software only (I think someone posted here about a "LIberty BSD" or something, don't know what really came off that).

martinh
Offline
Beigetreten: 02/21/2014

Well, you're asking some very good Questions !

Although I don't know answers to them...I wasn't aware that OpenSSH keys may be broken,
but then Jacob Applebaum is somebody I would trust.

As to Theo de Raadt not providing the results of an independent review - that really
does surprise me and makes me curious as to why ? I will see what I can find...

LibertyBSD is still moving forward: http://www.libertybsd.net/ and 'alimiracle' from
the Trisquel Forums seems to be doing a lot of work on the ports tree !
Haven't tried it though, however they give some very interesting reasons as to why
OpenBSD may not be as transparent:(quote) "OpenBSD ships with several pieces of non-free, binary only firmware in the base system, and depending on the hardware detected, by default a script will download more at first boot, without informing the user of this."(end quote).

Also just found this concerning OpenSSL: http://www.theregister.co.uk/2015/07/06/awoogah_get_ready_to_patch_severe_bug_in_openssl_this_thursday/

Someone has already "complained" that this severe Bug does not have a name or logo like heartbleed :)

Magic Banana

I am a member!

Offline
Beigetreten: 07/24/2010

I am speaking from memory here but I think Jacob Appelbaum said in a speech that SSH keys were broken and the NSA had made it not secure...

I believe you either make a confusion with:

As for the transparent audit, I think (again from memory) that Theo de Radt (the main guy behind OpenBSD) had refused to provide the results of an independent review of OpenBSD code.

Any reference?

GNUser
Offline
Beigetreten: 07/17/2013

I am in a hurry right now, sorry for the short reply.

A quick websearch revealed these links:
https://www.techdirt.com/articles/20141229/06331329532/how-nsa-works-hard-to-break-encryption-any-way-it-can.shtml
http://www.spiegel.de/international/germany/inside-the-nsa-s-war-on-internet-security-a-1010361.html
https://hamish.gate.ac.uk/posts/2015/01/14/has-nsa-cracked-ssh/

Like I said, those comments are from memory (stuff I have read and heard online over the last couple months). I will try to document it better later.

I will try to find the OpenBSD references too.

Magic Banana

I am a member!

Offline
Beigetreten: 07/24/2010

https://hamish.gate.ac.uk/posts/2015/01/14/has-nsa-cracked-ssh/

This is the relevant link:

I'd be cautious about concluding that, for example, "SSH is broken", on the basis of this fragmentary report. Claims of successful decryption of SSH sessions almost certainly don't mean that (a) public key protocols protecting key exchange are broken (GPG would be broken too), or (b) any of the suite of ciphers used by SSH is vulnerable. They could be talking about side-channels, like fooling people into ignoring warnings that server keys have changed, or about sessions initiated from compromised machines.

GNUser
Offline
Beigetreten: 07/17/2013

I know this has been subject of many debates since the news came out, and while the situation might not be as bad as it seems, I do remember without a doubt that Jacob Applebaum (one of the journalists that is helping releasing the NSA documents and therefore has access to most information) said in a speech that yes, SSH has been made insecure.
Still, I am more interested in the LibreSSL project right now.

jei
jei

I am a member!

Offline
Beigetreten: 02/18/2015

You're thinking about this I reckon:
https://media.ccc.de/browse/congress/2014/31c3_-_6258_-_en_-_saal_1_-_201412282030_-_reconstructing_narratives_-_jacob_-_laura_poitras/download.html

He does say that there have been SSH sessions cracked, but that doesn't mean SSH in itself is insecure every time you use it. It still could've been mitm, or just insecure settings (SSH has different protocol versions, many different ciphers that can be used etc. of course some of them aren't secure).
I think you can use SSH in a secure way, but you have to make sure you're using the latest version on both of your machines and that you configure it in a secure fashion, for example this guide seems to give reasonable advice from what I can tell: https://stribika.github.io/2015/01/04/secure-secure-shell.html

andrew
Offline
Beigetreten: 04/19/2012

> What are your thoughts on this, should we start using LibreSSL, after
> all the s*** that has been going on with OpenSSL?

I don't know if the APIs for LibreSSL are the same for OpenSSL but
modifying programs to use the former could be a big job and ideally
would be done by upstream maintainers. From what I've heard LibreSSL is
a much more stripped down version of OpenSSL.

The OpenSSL project has received more contributions and resources to
continue since the event so the reason for LibreSSL isn't as much as it
was before. I think it sounds like a good project though.

Andrew

GNUser
Offline
Beigetreten: 07/17/2013

Being stripped down could be a good thing... since that would make the code easier to maintain and audit when necessary.
Not that I think the GNU/Linux distros out there will start using it, BSD distros might.
I like the idea of KISS software :)

moxalt
Offline
Beigetreten: 06/19/2015

UNIX philosophy = KISS

Jodiendo
Offline
Beigetreten: 01/09/2013

Only a few days old, OpenSSL fork LibreSSL is declared “unsafe for Linux”

I'm not an expert but testing a software program, before is release is essential in my books. Openssl nor libressl has not been tested sufficiently to me. So Ill stay away from it!

Follow the links and read the articles.

http://arstechnica.com/security/2014/07/only-a-few-days-old-openssl-fork-libressl-is-declared-unsafe-for-linux

OpenSSL code beyond repair, claims creator of “LibreSSL” fork

http://arstechnica.com/information-technology/2014/04/openssl-code-beyond-repair-claims-creator-of-libressl-fork/

GNUser
Offline
Beigetreten: 07/17/2013

Thanks for those links.
It seems to me that this is all a big mess, and only time will solve anything... people are trying to do things in one way and another, but computers are so complicated that you always end up fucking up somehow... Maybe the LibreSSL is a good approach, but it does seem like a "alpha" project.