[Cryptography] Apple and OpenSSL
ianG
iang at iang.org
Sat Apr 19 08:01:23 EDT 2014
On 19/04/2014 03:46 am, Paul Wouters wrote:
> On Fri, 18 Apr 2014, Jerry Leichter wrote:
>
>> Be aware that this is a strongly pro-Apple site, and that comes
>> through plainly in the article. Still, it's an interesting history of
>> how one company has been dealing with the issue of crypto software.
>>
>> http://appleinsider.com/articles/14/04/18/how-apple-dodged-the-heartbleed-bullet
>>
>
> "If your app depends on OpenSSL, you should compile OpenSSL yourself
> and
> statically link a known version of OpenSSL into your app. This use of
> OpenSSL is possible on both OS X and iOS. However, unless you are
> trying
> to maintain source compatibility with an existing open source project,
> you should generally use a different API."
>
> Clearly Apple had user's security interest in mind when they stated that :P
>
> Also how can the writer confirm app developers must staticly link in
> openssl and say in the title "Apple dodged the heartbleed bullet".
Coz it's a different group of people. Apple did the right thing, but
they allowed an escape valve so that some small dedicated devs with
openssl code bases or mindsets could do the wrong thing.
Once it is them that muck up, it isn't Apple. No problem, no mud
sticks, and more importantly, their devs can get back to work and their
users are happy.
It's all about groups and interests. Alignment or misalignment.
iang
More information about the cryptography
mailing list