Enter the 36 chambers of infrastructure wu-tang

Thursday, May 15, 2008

What not to do

I was discussing the following with a good friend of mine earlier and we are both confused about why it is not major news, getting flogged everywhere such geekery is common. This is one of the more egregious failures ever perpetrated.

Debian (and Ubuntu) OpenSSL stupidity.

This is why it is so important that you can't simply hack crypto together and cross your fingers. Some bright spark decided to comment out the source of entropy for the random number generator, so everything works fine, but the keys are no longer random and no longer from an enormous pool. Commented out not for a carefully considered engineering reason, but simply because it was generating errors from a code analysis tool. This is badness.

I won't get into a rant about how a proper development process could let this through and instead will offer these two tidbits. The first is a thread from 2003 regarding errors from Valgrind on this very line of code and exactly why they should be ignored. The second is the entry from the OpenSSL FAQ (added in September 2007) reiterating the point. This was a known issue with a known solution (ignore it).

I cannot overstate this: leave crypto to the pros or become a pro yourself (I'm merely an interested amateur).

The thread.
The FAQ.

TLS Report beta

The TLS Report is stable (give or take). I'll be migrating it to AWS soon, even though their report is not great. But, hey, could be worse!