Tuesday, April 8, 2014

Should I still use OpenSSL

OpenSSL does not have a good record of secure coding although they patch their codes very quickly. The most recent Heartbleed bug allows users to access the memory space (which also includes the keys loaded in the memory) from a direct connection to any application running the affected versions of OpenSSL.

What should you turn to next if you decide to drop OpenSSL from the list of SSL cryptographic providers? You might want to try out Mozilla's NSS and use the NSS to replace the leaky OpenSSL library.

No comments: