These are all just birth pains of the information age. Our software is old, and has tried to keep up and grow as demands and technology have increased. It will definitely need to be replaced. Hopefully Heartbleed and the Snowden revelations get the Big Thinkers on the path towards doing so, and that does seem to be what is happening.
For what it's worth, OpenBSD (arguably the most secure OS on the planet) has started a serious overhaul of OpenSSL. I guess we'll see what it looks like in a few months.
I needed a crypto library last year and looked into OpenSSL and man o man what a crap API, I know enough crypto that (in theory) I can program my own. So the terms and whatnot should not be confusing. But OpenSSL was a confusing pile of excrement. I am not at all surprised that horrible monster bugs lurked in those waters. The crap API told me two things. First that these people have their heads in their asses and that they also have their asses stuck at least a decade into the past. It reeked of one of those Open Source projects where they claim they are so few working so hard but would probably crap all over any newcomers who tried to contribute. I didn't look at the source code but I am going to predict incomprehensible variables and even hungarian notation (loved by programmers with serious OCD).
This is a completely unrelated questioned, but what are you thoughts on BitMessage?
wiki | their site Is this concept (independent of that actual BitMessage platform / execution) going to be the future of private / encrypted communications? Or is it a stupid idea? It BitMessage executing it well, even though they are still in beta, or is there some gaping hole that most folks aren't seeing?
I just looked at the source code. around 1/4th of the variables I saw had a pretty good name, 1/4th were terrible names, and the last 1/2 were single letter variable names. WTF? The file names were bonkers stupid. A typical name was tls_srp.c.
Transport layer security syrup. Alternatively, "Transport layer security Secure Remote Password", GnuTLS has a similar thing: gnutls_srp.c
Meh. I'll dump it as soon as you finish its replacement.
There are a number of alternatives to OpenSSL. Are any of them are more secure or well-written? No idea.
I'm not so sure what is considered here to be a proper talk and what is a pointless mumble, nevertheless here are my thoughts on this topic: Whenever the talk is about open-source, what makes it bad is also what makes it paradoxically good. For that you see, open-source is inherintly a chaotic consept. Free code, limitless amount of volunteers, yet questionable skill of mentioned individuals. The problems are nearly identical in nearly all projects is that people sometimes spend an unreasonable amount of time trying to band-aid an already "patched" software. Although, in hands of clever core developers, pure genious that is git or similar, and undeniably some luck, some masterpieces can be created (though some might say I'm being overly fanatic). Unfortunately it seems that OpenSSL outdid its welcome. Whenever you start to hear that there is a ludicrous amount of bugs, then clearly some gnome is no longer magically keeping the garden intact; people have lost the enthusiasm. At some point, perhaps, the project had went in the wrong direction, hence experts foreshadowing its demise, or it could have been unexpected and unpleasant surprise for everyone (latter being pretty unlikely for this particular case). While its stupendous to state that the project will revive itself, some things can be mentioned for certain. For one, it's natural for any given project to become extinct. It is not possible for us to know for certain that something will exist indefinitly, but at the very least, the consept, the idea will live on. Of course, just like any creation, it's sad to see its beating heart to stop, especially for its creator; mistakes are to be learned from and to be improved upon. I am more than excited to see what could possibly come out as a successor. Only time will tell. So in conclusion, OpenSSL is a good idea which went without a clear guidance - a path proven so many times to fail. But most definitly, it's not the time to say that Linux lost SSL support. And when the time will come, "From the ashes, phoenix will rise!"