Post-Heartbleed: Is it time to kill OpenSSL?

" ... it's nobody's fault. No one was ever truly in charge of OpenSSL, it just sort of became the default landfill for prototypes of cryptographic inventions, and since it had everything cryptographic under the sun (somewhere, if you could find out how to use it), it also became the default source of cryptographic functionality."

...and nobody's ever going to get fired for making mistakes

"I'm sure more than one person has thought 'Nobody ever got fired for using OpenSSL'. And that is why everybody is panicking on the Internet as I write this. This bug was pretty bad, even as bugs in OpenSSL go, but my co-columnist at ACM Queue, Kode Vicious, managed to find a silver lining.

"Because they used a 'short' integer, only 64 kilobytes worth of secrets are exposed. And that is not the first nor will it be the last serious bug in OpenSSL, and, therefore, OpenSSL must die, for it will never get any better.

"We need a well-designed API, as simple as possible to make it hard for people to use it incorrectly. And we need multiple independent quality implementations of that API, so that if one turns out to be crap, people can switch to a better one in a matter of hours."

Plus, there may be an advantage to deploying a commercial solution...

Whether OpenSSL should be switched for a commercial alternative is a contentious debate, but it's possible that doing so would greatly reduce the possibility of eyes being taken off the ball when it comes to updates.

"One main advantage of going for a commercial software provider is that they should be more concerned with updating," says Bogdan Dimitru, CTO at Bitdefender. "By opening SSL up with additional update components, everything might have been fine when it came to Heartbleed - the update would have been pushed to all of its clients and their servers and that would been the end of it.

"This is the type of thing that's more in the realm of the commercial software provider. They pay more attention to the update process - this is not the case when it comes to OpenSSL."

Kane Fulton
Kane has been fascinated by the endless possibilities of computers since first getting his hands on an Amiga 500+ back in 1991. These days he mostly lives in realm of VR, where he's working his way into the world Paddleball rankings in Rec Room.
Latest in Software & Services
A man sitting at his desk in the evening and using a desktop computer
Office 2021 vs Office 2024: is it time to upgrade?
Microsoft 365 Business app logos
Office 2024 LTSC vs Microsoft 365 Business: what are the differences?
Windows 11 Start menu layout choices: Grid view
Windows 11 vs Linux for business: which operating system should you embrace?
A phone sitting on a laptop keyboard with the Microsoft Outlook logo on the screen.
Gmail vs Outlook for business: which email system is right for your organization?
Windows 11 logo
Windows 11 Pro vs Windows 11 Home: which version is right for you?
Canva HubSpot
HubSpot and Canva team up to level the creative playing field
Latest in News
Google Gemini Flash 2.0 Images
I tried Gemini's new AI image generation tool - here are 5 ways to get the best art from Google's Flash 2.0
An image of the Samsung Galaxy S25 Ultra from a hands-on event
Samsung Galaxy S26 Ultra could resurrect an intriguing camera feature
Eurocom Raptor X18
At $15,000, this massive 256GB RAM laptop makes Apple's MacBook Pro look affordable, tiny and very, very slow
Cristin Milioti in Black Mirror season 7
Netflix launches trailer for Black Mirror season 7, giving us a look at its first-ever sequel episode and an unexpected returning character
A graphic of the PC Gaming Show
Get ready for a bounty of PC games on June 8, as the PC Gaming show is back
A close up of The Daily podcast from Pocket Casts' web page
‘Podcasting shouldn’t be locked behind walled gardens’: Pocket Casts slams Spotify and makes its web player free to all