[Cryptography] LibreSSL unaffected by DROWN
Henry Baker
hbaker1 at pipeline.com
Wed Mar 2 13:26:50 EST 2016
FYI --
http://slashdot.org/story/16/03/02/1620221/libressl-unaffected-by-drown
serviscope_minor writes:
The OpenBSD people forked and heavily cleaned up OpenSSL to create LibreSSL due to dissatisfaction with the maintainance of OpenSSL, culminating in the heartbleed bug.
The emphasis has been on cleaning up the code and improving security, which includes removing things such as SSL2 which has fundamental security flaws.
As a result, LibreSSL is not affected by the DROWN bug. LibreSSL is largely compatible with OpenSSL.
The main exceptions are in the cases where programs use insecure functions removed from libreSSL, or require bug compatiblity with OpenSSL.
---
I just love the phrase "bug compatibility" !
I'll put that right up there with "God could create the world in 7 days because he didn't have an installed base".
More information about the cryptography
mailing list