[Interest] Qt 5.9 and OpenSSL 1.1?
Giuseppe D'Angelo
giuseppe.dangelo at kdab.com
Mon Sep 16 20:48:20 CEST 2019
On 16/09/2019 18:51, Roland Hughes wrote:
>
> On 9/16/19 10:41 AM, Giuseppe D'Angelo wrote:
>> On 16/09/2019 14:44, Roland Hughes wrote:
>>> On 9/16/19 5:00 AM,interest-request at qt-project.org wrote:
>>>> Il 14/09/19 14:53, Roland Hughes ha scritto:
>>>>> Please keep in mind there is no version of SSL which is secure.
>>>> Do you have any reference/source for this (quite extraordinary) claim?
>>> You know, for you it wouldn't matter. It would be a link and you are
>>> incapable of actually clicking then reading anything which doesn't
>>> support your opinion.
>> So, personal insults right off the bat?
> Not insults, factual history. You've even flamed about links in messages
> in this very thread.
>>> There are numerous packages on the market which
>>> cut through SSL like a hot knife through butter.
>> Any link to ANY of those?
>
> This is the leg work __you__ should be doing before writing your first
> line of code and before making any claim that SSL is secure.
It doesn't work like this. YOU made the claim that SSL is not secure.
Specifically, that it's as secure as
> hanging a CLOSED sign on the unlocked door to a
> jewelry store having $20 million in inventory sitting in the cases
> without an alarm system.
So YOU now have to provide the references to support that claim.
> https://techxplore.com/news/2019-03-cybersecurity-dark-web-exposes-vulnerability.html
>
> Actual report the article is based on
>
> https://www.venafi.com/sites/default/files/2019-02/Dark-Web-WP.pdf
This is exclusively about PKIs. It doesn't show any breach whatsoever of
SSL.
>
> Here's some historical ones from Cisco. A bit dated but shows just how
> thriving successful attacks have been through SSL.
>
> https://blogs.cisco.com/security/breach-crime-and-blackhat
This actually puts SSL in a positive light, showing only THREE attacks
against it. At least RFC 7457 shows more.
>
> More
>
> https://www.semrush.com/blog/https-a-modern-false-sense-of-security
And this again just mentions that earlier SSL versions had security
vulnerabilities. It does not sustain the claim that there is NO version
which is secure.
(As Thiago has already reminded, we're way past the point where we do
get to prove mathematically the correctness and the security of our
code; instead we rely on expert research, responsible disclosure and
quick fix of any issue that may have been found.)
>>> "60 Minutes" did a
>>> piece on the best known and most financially successful one but some
>>> sources say there are around a dozen packages playing at the same level.
>>> Here's the link which was provided before and I'm sure you didn't bother
>>> to follow prior to responding.
>>>
>>> https://www.cbsnews.com/news/interview-with-ceo-of-nso-group-spyware-maker-fighting-terror-khashoggi-murder-and-saudi-arabia-60-minutes-2019-08-18/
>> The link does not talk about breaking SSL. The link is about spyware for
>> smartphones. SSL is actually never mentioned, not to mention of course
>> breaking it.
>
> One of the primary ways it does it is by breaching SSL which is the
> easiest entry point. The second entry point is via that little
> bot/virus/malware/whatever-called-this-week they attach to the phishing
> email.
Where exactly in the video is "breaching SSL" stated? This is pure
speculation, and very likely to be false too (you don't need to breach
SSL to plant malware. You don't even need SSL in the first place!).
>>>>> Please also keep in mind the big systems are moving towards a TCP/IP
>>>>> software appliance within the OS. No application will be able to create
>>>>> or open a port. No application will be able to choose/define the
>>>>> transport layer security. They will open a logical-resource-handle
>>>>> provided by the OS and the systems manager will configure if that
>>>>> resource is I, O, or I/O as well as what the transport level protocols
>>>>> are. Eventually (within 5 years of adoption) this will be forced out
>>>>> into the IoT and lesser devices world as well.
>>>> So long for the "backward compatibility is paramount" promise then.
>>> That would only be for the hokey code which came from the *nix world.
>> And Windows.
> which took it from the *nix world if memory serves.
>>> For the code which didn't come from a world that did it wrong it is 100%
>>> backwardly compatible because that is exactly how we did network
>>> communications. In other words all of the software developed_on_ those
>>> platforms and_for_ those platforms will be fine. What will be going
>>> away are the *nix TCP/IP library functions of C/C++ because they are a
>>> massive security nightmare. There was a time when marketing bowed to the
>>> pressure from companies which only wanted "free" software on their
>>> million plus dollar platform, but that has lead to security catastrophe
>>> after security catastrophe. Now they are in the process of locking them
>>> back down and just letting people whine an snivel about *nix package not
>>> being available on the platform.
>> So we're talking about non-Unix, non-Windows, non-Apple platforms. I.e.
>> roughly about 0% of the current market share of Qt. What are Qt users
>> (the people who read this very mailing list) going to do with this
>> useless information?
>
> These are the business engines the embedded systems many of us create in
> the industrial and medical worlds which our devices will have to play
> nice with or some other device will be purchased which isn't written
> with Qt.
So what's the relevance of how such business engines implement their
network security, and Qt applications, NOT running on any of such
systems? Such applications WILL be able to create sockets and open ports.
> Don't be so quick to say non-Unix because that is not correct. Tru64 had
> it and that got rolled into HP-UX as well as into Non-Stop. It was also
> added into AIX at some point. It even existed on the original Windows NT
> before the tiny DOS brains at Microsoft stripped NT back to nothing but DOS.
More insults.
> The selling point in the world of the Big Dogs is now bullet proof
> security. An [SNIP]
Off-topic trivia.
> One final thought/question. Just how many of the Qt applications which
> you've written using SSL did you sign up to take a course for then
> obtain the tools to perform full security testing?
>
> https://www.udemy.com/course/web-application-ethical-hacking/
>
> Did you just file it under "buyer beware?"
>
> No Giuseppe, I'm not going to do even more research for you.
This not "doing research for me". This is following the rule that
extraordinary claims require extraordinary proofs and evidence. The
claim disputed here is "there is no version of SSL which is secure".
> You should
> be learning all of this yourself and you should not be telling people
> adding SSL/TLS to their application makes them secure. It's better than
> nothing because it will keep honest people out, but it certainly is not
> "secure."
And where exactly did I say anything at all in that regard?
> There is no "one and done" solution for security.
We are NOT debating this. We are debating this claim:
> Please keep in mind there is no version of SSL which is secure. All you
> are doing by using it is hanging a CLOSED sign on the unlocked door to a
> jewelry store having $20 million in inventory sitting in the cases
> without an alarm system.
Insofar, the evidence brought was that
* earlier SSL versions were vulnerable to attacks, but these
vulnerabilities have been addressed in later SSL standards;
* that PKI is critical (e.g. if you steal somebody's certificate you can
impersonate), which has almost zero to do with SSL itself and way more
with other security operations;
* that the only remaining attacks against SSL can be mitigated via
server-side configurations (something that 99.99% of Qt users don't even
care about as they're on the client side);
* that such remaining attacks require massive botnets and state-grade
actors to be carried.
This sounds to me more like that you have a 6" composite metal door
protecting your jewelry store, designed by the best specialists in the
industry, which is quite effective at keeping the thieves out. Provided,
of course, you remember to lock it; and don't leave the combination
written on a post-it note that you can read from the window; and get rid
of the plywood door on the back; and read the letters from the
manufacturer when it tells you to install a more recent one (and then
actually doing it); whilst knowing perfectly that it will stop the local
burglar, but not a M829 sabot fired from the army.
--
Giuseppe D'Angelo | giuseppe.dangelo at kdab.com | Senior Software Engineer
KDAB (France) S.A.S., a KDAB Group company
Tel. France +33 (0)4 90 84 08 53, http://www.kdab.com
KDAB - The Qt, C++ and OpenGL Experts
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4329 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.qt-project.org/pipermail/interest/attachments/20190916/14a0aa41/attachment.bin>
More information about the Interest
mailing list