OpenSSL 1.0.0 Released 105
hardaker writes "After over 11 years of development since the start of the OpenSSL Project (1998-12-23), OpenSSL version 1.0.0 has finally hit the shelves of the free-for-all store."
There are two ways to write error-free programs; only the third one works.
The worst documentation I've ever seen (Score:0, Insightful)
Version 1.0 and I'm sure the docs are all outdated as they always have been. They really need to get their shit together when it comes to some decent documentation.
Re:You insensitice clod... (Score:3, Insightful)
Or monkeying with the random number generator.
Documentation (Score:5, Insightful)
openssl(1): [STILL INCOMPLETE]
ssl(3): [STILL INCOMPLETE]
crypto(3): [STILL INCOMPLETE]
HOWTO: [STILL INCOMPLETE]
I would trade in the last 12 months worth of OpenSSL development for some decent documentation. [STILL INCOMPLETE] is a half truth as well; the complete bits suck in novel ways.
Re:You insensitice clod... (Score:4, Insightful)
Or monkeying with the random number generator.
After being ignored by arrogant dolts who didn't bother to correct him and guide into providing a better fix.
Re:You insensitice clod... (Score:3, Insightful)
Then if you neither understand the code nor understand the effects your changes make to the code, you don't make the change. The fault squarely lies with the idiot monkeying around in places he shouldn't have.
Re:Geee! (Score:4, Insightful)
To use the Packet Forensics box, a law enforcement or intelligence agency would have to install it inside an ISP, and persuade one of the Certificate Authorities — using money, blackmail or legal process — to issue a fake certificate for the targeted website. Then they could capture your username and password, and be able to see whatever transactions you make online.
Granted, TFA states that a hacker could potentially circumvent the more difficult parts by using social engineering—registering a certificate that looks like it matches a particular web site and hoping surfers will manually accept it. But that's again a problem with the certificate authority and/or user, not SSL itself.
All the article really boils down to is that SSL is useless if the client and server can't trust the certificate authority. Which should be freaking obvious.