<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Tue, Apr 8, 2014 at 11:29 AM, Gregory Collins <span dir="ltr"><<a href="mailto:greg@gregorycollins.net" target="_blank">greg@gregorycollins.net</a>></span> wrote:<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr"><div class="gmail_extra"><div class=""><div class="gmail_quote">On Tue, Apr 8, 2014 at 5:10 PM, Michael Snoyman <span dir="ltr"><<a href="mailto:michael@snoyman.com" target="_blank">michael@snoyman.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">I know people have raised security concerns about using the tls package due to lack of testing relative to OpenSSL, but I'm not sure if those arguments are so valid given recent events[5].</blockquote>
</div><br></div>Yeah, I've been meaning to mention this issue -- I have definitely been among those in the past pushing for OpenSSL as the only sensible solution (conventional crypto wisdom is that you stick to tried and true, well-tested solutions) but I might change my tune on this. Sure, the Haskell tls library might potentially be vulnerable to unknown side chaining or timing attacks (and there is C code in there), but I don't see much chance of buffer overflows leading to secret key disclosure (!) coming out of our camp.</div>
</div></blockquote><div><br></div><div>I would still want to see some kind of security review; the fact that someone found a hole in the steel door doesn't justify replacing it with a plastic screen door.</div><div><br>
</div></div>-- <br><div dir="ltr"><div>brandon s allbery kf8nh sine nomine associates</div><div><a href="mailto:allbery.b@gmail.com" target="_blank">allbery.b@gmail.com</a> <a href="mailto:ballbery@sinenomine.net" target="_blank">ballbery@sinenomine.net</a></div>
<div>unix, openafs, kerberos, infrastructure, xmonad <a href="http://sinenomine.net" target="_blank">http://sinenomine.net</a></div></div>
</div></div>