[Cryptography] Apple and OpenSSL

Sat Apr 19 00:09:55 EDT 2014

On Apr 18, 2014, at 10:46 PM, Paul Wouters <paul at cypherpunks.ca> wrote:
> 	"If your app depends on OpenSSL, you should compile OpenSSL yourself and
> 	statically link a known version of OpenSSL into your app. This use of
> 	OpenSSL is possible on both OS X and iOS. However, unless you are trying
> 	to maintain source compatibility with an existing open source project,
> 	you should generally use a different API."
> 
> Clearly Apple had user's security interest in mind when they stated that :P
What would you have wanted them to say instead?

> Also how can the writer confirm app developers must staticly link in
> openssl and say in the title "Apple dodged the heartbleed bullet".
*Apple* dodged the bullet.  There's no way they could prevent other developers from putting themselves (and their users) in harms way (as it turned out - no one could really know for sure at the time) by using OpenSSL.  (Well, in iOS Apps - available only through the App store, or with MacOS applications in the Mac App store, they could if they really wanted, as they control what goes into the App stores.  But you can imagine the complaints if they did that.)

                                                        -- Jerry