Post-Heartbleed: Is it time to kill OpenSSL?

" ... it's nobody's fault. No one was ever truly in charge of OpenSSL, it just sort of became the default landfill for prototypes of cryptographic inventions, and since it had everything cryptographic under the sun (somewhere, if you could find out how to use it), it also became the default source of cryptographic functionality."

...and nobody's ever going to get fired for making mistakes

"I'm sure more than one person has thought 'Nobody ever got fired for using OpenSSL'. And that is why everybody is panicking on the Internet as I write this. This bug was pretty bad, even as bugs in OpenSSL go, but my co-columnist at ACM Queue, Kode Vicious, managed to find a silver lining.

"Because they used a 'short' integer, only 64 kilobytes worth of secrets are exposed. And that is not the first nor will it be the last serious bug in OpenSSL, and, therefore, OpenSSL must die, for it will never get any better.

"We need a well-designed API, as simple as possible to make it hard for people to use it incorrectly. And we need multiple independent quality implementations of that API, so that if one turns out to be crap, people can switch to a better one in a matter of hours."

Plus, there may be an advantage to deploying a commercial solution...

Whether OpenSSL should be switched for a commercial alternative is a contentious debate, but it's possible that doing so would greatly reduce the possibility of eyes being taken off the ball when it comes to updates.

"One main advantage of going for a commercial software provider is that they should be more concerned with updating," says Bogdan Dimitru, CTO at Bitdefender. "By opening SSL up with additional update components, everything might have been fine when it came to Heartbleed - the update would have been pushed to all of its clients and their servers and that would been the end of it.

"This is the type of thing that's more in the realm of the commercial software provider. They pay more attention to the update process - this is not the case when it comes to OpenSSL."

Kane Fulton
Kane has been fascinated by the endless possibilities of computers since first getting his hands on an Amiga 500+ back in 1991. These days he mostly lives in realm of VR, where he's working his way into the world Paddleball rankings in Rec Room.