top | item 7578572

(no title)

dcc1 | 12 years ago

Maybe Akamai and other large internet companies (Google, Facebook, Cloudflare etc) contribute now financially and/or with engineers towards openssl development or create an alternative.

This whole thing has been one giant clusterfuck, I myself seen one rather larger alexa top 1000 site being exploited by sessions being hijacked.

discuss

brians|12 years ago

Akamai posted its special heap implementation</a> to openssl-dev yesterday: <http://marc.info/?l=openssl-users&m=139723972124003&w=2>. We'll follow that up with help to adapt it to openssl's needs---which are much, much broader than our set of problems. We run 100k machines, sure---but all x86-64, almost all Linux, and all running substantially the same software. We don't use DTLS. We don't use any PAKE systems. We are, in some sense, an easy problem.

The OpenSSL Foundation is trying to help people with those needs and needs varying on every imaginable dimension communicate with secrecy and strong authentication. We should expect them to need several times as many developers full time on that problem as any of the planetary-scale computing companies.

euphemize|12 years ago

Totally agree.

I'm finalizing a tool to scan and visualize the top 1M alexa site URLs to see which are vulnerable - and ~3% (30 000) still are. In the last few days I've observed about ~5% of those getting patched daily (~1500).