Kenn White says OpenSSL Being Rewritten

At last weeks Showmecon Kenn White spoke about the project he is auditing OpenSSL. the following is from the webpage https://opencryptoaudit.org/people

kennwhite

 

When I first walked in to listen to his speech at the show, I was not paying attention, as the topic seemed to be about how some basic hacks were occuring.

Including the ones I have blogged about in the past (like heartbleed – reminder OpenSSL security bug)  http://oversitesentry.com/?s=heartbleed&submit=Search Apr15, Jan21, Jan 14, and Dec29-2014

 

The biggest problem for me was the speaking style – it was not a standard speaker, more monotone and matter of fact. Then as Kenn started ticking off the things that were done to the OpenSSL project I realized that this is a researcher and his speaking style is more like a lecture at a university.

 

So i did what I always used to do in a lecture…  take notes:

Open SSL audit

Complete rewrite for OpenSSL

Total metrics: 493k of code mostly C programming language

TLS state machine is being rewritten

Crypto core code as well

Protocol flows core engine

Memory management

EVP (pki construction)

major architecture

TLS1.3

marlinspike

Open Threat feeds (Alienvault open threat) exchange v2

small OS footprint

Let’s encrypt is a command line version of certification authority

99.9% of attacks try to attack 1 yr old vulnerability

The audit project is  at opencryptaudit.org

@kennwhite is his Twitter handle

 

I know I did not write too much in between the lines since I was trying to listen, but let me summarize:

The OpenSSL project itself is now included in many internal Linux and other operating systems for cryptographic connections between machines. The Heartbleed security bug made it clear to the open source (and IT) community that there were serious problems with the underlying code. And instead of waiting for more and more problems to surface the community decided to redo from the ground up the whole project (493,000 lines of code)

There will be a number of enhancements in the redo: TLS state machine will use TLS1.3 , Crypto Code will be reviewed, protocol flows and memory management will also be worked on, the EVP which is a pki construction also is going to be included.

The end result looks to be a major rewrite of this  large open source project.

 

Something else that Kenn is working on is “Let’s encrypt” which is a command line certification authority.

In between of some of the information given were some security truisms like 99.9% of attacks try to attack 1 year old vulnerabilities or older.

 

Of course this is a lesson to me, don’t judge a speech at a convention by the monotone…

As it could just be somebody who even without awesome speaking skills important facts will be given. And of course it is good news that within a certain amount of time the OpenSSL code will be reworked – better and more secure.

In case everyone does not check Twitter this is Kenn White’s response:

kennwhitetweettofixvirus

 

Advertisements