D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] OpenSSL --> LibreSSL

 



Microsoft are doing better than they were. But April's patches include remote code exploitation critical issues across all supported platforms which have Internet Explorer ( and Windows XP).

I was using Microsoft as an example simply because they had the largest piles of cash, have been emphasising security, especially in products like IE, but it is rare a month goes by without similar critical issues.

Microsoft also been pushing hard to develop and drive through ISO standards on secure development. 

However I suspect the issue is that to do substantially better one needs to make big changes - dropping old protocols, dropping older platforms, major restructuring, or even reimplementation in languages better suited to secure application development. Some of these are easier where you don't have contracts in place, I doubt with Microsoft as sponsor they'll get away with dropping Windows support for example, even if in engineering terms it made sense.

One also needs to understand the prioritises of these big companies are not our priorities and users or developers or whatever your role is. There is considerable overlap, but one of the reasons free software works is that usually the alignment of interests is tighter.

Worth also asking if it is worth saving. All major browsers, Apple and Microsoft all use alternative SSL implementations. Might simply be better to move away and let it die. Focus the efforts on a better code base, there are a fair few free implementations to pick from.


-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq