At last weeks Showmecon Kenn White spoke about the project he is auditing OpenSSL. the following is from the webpage https://opencryptoaudit.org/people
When I first walked in to listen to his speech at the show, I was not paying attention, as the topic seemed to be about how some basic hacks were occuring.
Including the ones I have blogged about in the past (like heartbleed – reminder OpenSSL security bug) http://oversitesentry.com/?s=heartbleed&submit=Search Apr15, Jan21, Jan 14, and Dec29-2014
The biggest problem for me was the speaking style – it was not a standard speaker, more monotone and matter of fact. Then as Kenn started ticking off the things that were done to the OpenSSL project I realized that this is a researcher and his speaking style is more like a lecture at a university.
So i did what I always used to do in a lecture… take notes:
Open SSL audit
Complete rewrite for OpenSSL
Total metrics: 493k of code mostly C programming language
TLS state machine is being rewritten
Crypto core code as well
Protocol flows core engine
EVP (pki construction)
Open Threat feeds (Alienvault open threat) exchange v2
small OS footprint
Let’s encrypt is a command line version of certification authority
99.9% of attacks try to attack 1 yr old vulnerability
The audit project is at opencryptaudit.org
@kennwhite is his Twitter handle
I know I did not write too much in between the lines since I was trying to listen, but let me summarize:
The OpenSSL project itself is now included in many internal Linux and other operating systems for cryptographic connections between machines. The Heartbleed security bug made it clear to the open source (and IT) community that there were serious problems with the underlying code. And instead of waiting for more and more problems to surface the community decided to redo from the ground up the whole project (493,000 lines of code)
There will be a number of enhancements in the redo: TLS state machine will use TLS1.3 , Crypto Code will be reviewed, protocol flows and memory management will also be worked on, the EVP which is a pki construction also is going to be included.
The end result looks to be a major rewrite of this large open source project.
Something else that Kenn is working on is “Let’s encrypt” which is a command line certification authority.
In between of some of the information given were some security truisms like 99.9% of attacks try to attack 1 year old vulnerabilities or older.
Of course this is a lesson to me, don’t judge a speech at a convention by the monotone…
As it could just be somebody who even without awesome speaking skills important facts will be given. And of course it is good news that within a certain amount of time the OpenSSL code will be reworked – better and more secure.
In case everyone does not check Twitter this is Kenn White’s response: