OpenSSL Is No Reason To Go All Twitter

Recommendation::Crypto
Audience::Intermediate
UUID: b3ae8f36-426c-4b6c-9464-19033c6808e5

Must...resist...the Power of the Force.

I have never been so tempted to post a few very snappish things that really could be effectively done in 140 characters. Security drama marketeers that were hoping for another major flaw in OpenSSL yesterday, instead of a DoS attack, etc.

On Twitter, security seems to be all about teh drama, and I am on record that Drama Indicates FAIL.

OTOH, OpenSSL does deserve come comment. It is so widely deployed that it might justifiably be regarded as Critical Infrastructure, though that term is also drama-bait. Cyber-attacks. a) Oh noes, run in fear, or b) evaluate it in terms of your threat model, and make rational decisions. I am big fan of b.

It turns out that there is a very good cheat-sheet for OpenSSL. Ivan Ristik has published a revision of OpenSSL Cookbook. It isn't exactly how I would would have done it, but then Ristick has absolutely no need to emulate some random guy that gets a few hundred hits per month. Because Ivan Ristik, who is a major talent. You have to register to get it in one of several formats, but it is a worthy update. You can also download Apache Security, and Modsecurity Handbook after registration

It does lack a few things, such as an explanation of compiler options, which are pretty much out of scope for a brief overview of the high points. And the openssl speed -evh command-line option will not have any effect on at least some Intel Ivy Bridge CPUs. Though -multi (n), which tells 'openssl speed' how many cores to use very much will. In my tests, it scales in a very linear fashion, as expected. I still have to do plots of cores v temp. Maybe next week.

I note that speed(1), on my system, does not document all command-line options. So, for instance, not knowing about '-multi (n)' will cost you a verification test.

TODO: update the OpenSSL Position Paper.