For context, FIPS means “US Federal Information Processing Standards that specify requirements for cryptography modules. ” ( from http://wiki.openssl.org/index.php/Category:FIPS_140 )
I agree that adding this type of complexity is wrong in a security context. However, what type of impact with this have on LibreSSL? Will this restrict adoption of a more secure framework? Will Government groups just throw up their hands and go back to OpenSSL? Will open source be banned from .mil networks because it no longer fully conforms to regulations?
I think Mozilla’s NSS is FIPS compliant so that is one option for software creators. What are the downsides to using NSS instead of LibreSSL? If NSS is a viable platform, why not just put the LibreSSL effort into helping the NSS project?
(1) lots of software expects the openssl api (2) if libressl can kill openssl then they can use the leverage of a monopoly position to change things.
i think the second point is what is most interesting here. openssl actually did a reasonably good job with the resources they had. they made compromises, for sure, but those compromises also helped (as you argue) make secure(ish) software more widely available. it seems to me that the biggest criticism of the openssl folks is not technical, but tactical. they didn’t recognise that they had got to a point where they had the strength to push back. to make changes. to fix the crap. and that is what is so good about libressl. it’s not the grandstanding and egos. it’s the idea that once you are popular you have power (and the moral duty to use it). you can (and should) push back.
you see this at work every day in the small. as a developer you have to know when to cut corners and when to claw back the debt. bad developers either never fix the compromises or never ship. good developers do both.
I don’t think the problem is that they didn’t push back; I think the problem is that they didn’t take responsibility for making OpenSSL secure, even in the absence of anything they’d need to push back against, and it’s not clear at this point that using OpenSSL in the last couple of years actually made things more secure than just sending stuff over the network in plaintext. Depends on your threat model, probably.
oh come on, your saying (excepting the long words) i may as well have done all my banking over http? if you really believe that then i think we’re on such different planets that communication is likely impossible.
(or you’re saying that you’re smart enough to invent a threat model where you’re right; i don’t doubt that for a minute, but surely we should weight by something reasonable…)
If the people who want to rob your bank account knew about Heartbleed but weren’t able to route your traffic through their sniffers, then unencrypted HTTP would have been better than using OpenSSL on your bank’s servers. Now, some adversaries were in fact in that position, while others were in the opposite position (e.g. the Great Firewall of China, assuming China didn’t know about Heartbleed), and the vast majority are irrelevant to this discussion because they could neither sniff nor bleed.
The question is, how do we weight the small number of relevant adversaries reasonably?
From my perspective, there are things more important than your bank account: for example, protecting political dissidents and victims of human-rights abuses, in their communications with Wikipedia and Wordpress and journalists, from snooping by the police and intelligence agencies operated by their oppressors. So I weight “possible people who found Heartbleed early” more highly than “people who sniffed plaintext transactions”, but I recognize that this weighting is arguable.
That’s why I said “it’s not clear that…OpenSSL…made things more secure…than plaintext…depends on your threat model” rather than “OpenSSL was less secure than plaintext”.
Rightly or wrongly, the differing magnitudes of these experiences informs my weighting of the risks.
As my friend Brandon Harris wrote on Facebook:
Consider this scenario: the Chinese government breaks Heartbleed. They then use it against Wikipedia to get the passwords of administrators with CheckUser privileges. They can then use those accounts to discover the identity and location of Chinese dissidents who are editing Wikipedia “illegally”. And then find them. And execute them.
He was talking about Chinese dissidents inside China, for which one might think they would also be able to snoop using the Golden Shield — but presumably if OpenSSL didn’t exist, they’d be using some non-SSL VPN protocol (PPTP?) to access Wikipedia just in order to be able to edit controversial pages at all. And Heartbleed also allows them to hunt down Chinese dissidents outside China.
The whole thing is a crock of shit. You’re allowed to use Firefox, but only if you promise to use it in the right mode. That mode happens to require you login (to the browser!) before you can view https sites. Like Lobsters.
I wonder what happens if you turn off FIPS mode. Are you fired? Can you be sent to prison? Do you get put on the terrorist no fly list?
To the extent that FIPS mode is runtime configurable, and you can just lie about enabling it, nothing stops you from using libressl and telling anybody who asks that it’s FIPS validated. Unsure what dire lifestyle consequences that will have for you.
Honestly, I don’t care if the military can use OpenBSD or not. I’d like for them to use it, but this is about their rules, not mine. It’s their process that’s wrong. (Or rather, I actually do care. But they need to move out of the stone age and this “how do we know that we know what we know about the product we just bought” mentality.)