Conversation

Notices

1. Embed this notice
   abadidea (0xabad1dea@infosec.exchange)'s status on Wednesday, 07-May-2025 19:35:04 JST abadidea

   After heartbleed in 2014, there were a lot of calls to abandon OpenSSL and support alternative libraries because it had written itself into a corner full of holes. I didn’t anticipate that 11 years later, there’d be a call to abandon OpenSSL because it’s written itself into a corner of running at 1% the performance of those very same alternative libraries https://www.haproxy.com/blog/state-of-ssl-stacks

   • Embed this notice
     abadidea (0xabad1dea@infosec.exchange)'s status on Wednesday, 07-May-2025 20:30:27 JST abadidea

     in reply to

     tangentially, I’m perplexed that someone would both name their project BoringSSL and be very willing to break API compatibility on a moment-to-moment basis. That feels like a “pick one” situation

     Rich Felker and GreenSkyOverMe (Monika) repeated this.
   • Embed this notice
     abadidea (0xabad1dea@infosec.exchange)'s status on Wednesday, 07-May-2025 20:30:27 JST abadidea

     in reply to

     there's nothing wrong with being the bleeding-edge option, but we need to workshop this branding. ExcitingSSL. RollerCoaster Crypto. Thrills and Chills TLS

   • Embed this notice
     feld (feld@friedcheese.us)'s status on Thursday, 08-May-2025 10:06:08 JST feld

     in reply to
     @0xabad1dea the OpenSSL debacle is proof the open source community doesn't know best. "Bugs are shallow..." bullshit. Massive performance gains are often shallow but nobody is doing it.
     
     There was an opportunity to seize the moment, but the only person who seemed to care was Bob Beck. And then once OpenSSL promised to make things better everyone gave back the torch back to the OpenSSL folks. (except OpenBSD)
     
     FreeBSD abandoned their plan to switch to LibreSSL and I'm still bitter about it.
     
     "Crypto is scary and dangerous, only the most expert experts should do it" is usually the excuse why people aren't stepping up. Crypto fear mongering is gatekeeping now. We need more people trying. Failure is ok but almost nobody is trying.
     
     Meanwhile Google and Amazon said "ha fuck this" and forked.
     
     Open source community? Suffers in silence (except OpenBSD, who has always suffered performance issues lol)
   • Embed this notice
     Marcin Cieślak (saper@mastodon.social)'s status on Friday, 09-May-2025 12:25:19 JST Marcin Cieślak

     in reply to

     • feld

     @feld @0xabad1dea Quite happy with NSS, but this is definitely something not even remotely OpenSSL-compatible