> Finding a genuine security flaw in OpenSSL is extraordinarily difficult.
history suggests otherwise
> The fact that 12 previously unknown vulnerabilities could still be found there, including issues dating back to 1998, suggests that manual review faces significant limits, even in mature, heavily audited codebases.
no, the code is simply beyond horrible to read, not to mention diabolically bad
if you've never tried it, have a go, but bring plenty of eyebleach
The badness cannot be overstated. "Hostile codebase" would be an appropriate label. Much more information available in Giovani Bechis's presentation: https://www.slideshare.net/slideshow/libressl/42162879
If someone meant to engineer a codebase to hide subtle bugs which might be remotely exploitable, leak state, behave unexpectedly at runtime, or all of the above, the code would look like this.
> If someone meant to engineer a codebase to hide subtle bugs which might be remotely exploitable, leak state, behave unexpectedly at runtime, or all of the above, the code would look like this.
I wonder who could possibly be incentivized to make the cryptography package used by most of the worlds computers and communications networks full of subtly exploitable hard to find bugs. Surely everyone would want such a key piece of technology to be air tight and easy to debug
But also: surely a technology developed in a highly adversarial environment would be easy to maintain and keep understandable. You definitely would have no reason to play whackamole with random stuff as it arises
> Surely everyone would want such a key piece of technology to be air tight and easy to debug
1. Tragedy of the Commons (https://en.wikipedia.org/wiki/Tragedy_of_the_commons) / Bystander Effect (https://en.wikipedia.org/wiki/Bystander_effect)
2. In practice, the risk of introducing a breakage probably makes upstream averse to refactoring for aesthetics alone; you’d need to prove that there’s a functional bug. But of course, you’re less likely to notice a functional bug if the aesthetic is so bad you can’t follow the code. And when people need a new feature, that will get shoehorned in while changing as little code as possible, because nobody fully understands why everything is there. Especially when execution speed is a potential attack vector.
So maybe shades of the trolley problem too - people would rather passively let multiple bugs exist, than be actively responsible for introducing one.
I wonder what adoption would actually look like.
It reminds me of Google Dart, which was originally pitched as an alternate language that enabled web programming in the style Google likes (strong types etc.). There was a loud cry of scope creep from implementors and undo market influence in places like Hacker News. It was so poorly received that Google rescinded the proposal to make it a peer language to JavaScript.
Granted, the interests point in different directions for security software v.s. a mainstream platform. Still, audiences are quick to question the motives of companies that have the scale to invest in something like making a net-new security runtime.
Another great example from tedunangst's excellent presentation "LibreSSL more than 30 days later".
https://youtu.be/WFMYeMNCcSY&t=1024
Teaser: "It's like throw a rock, you're gonna hit something... I pointed people in the wrong direction, and they still found a bug".
See also The State of OpenSSL for pyca/cryptography
https://cryptography.io/en/latest/statements/state-of-openss...
Recently discussed: https://news.ycombinator.com/item?id=46624352
> Finally, taking an OpenSSL public API and attempting to trace the implementation to see how it is implemented has become an exercise in self-flagellation. Being able to read the source to understand how something works is important both as part of self-improvement in software engineering, but also because as sophisticated consumers there are inevitably things about how an implementation works that aren’t documented, and reading the source gives you ground truth. The number of indirect calls, optional paths, #ifdef, and other obstacles to comprehension is astounding. We cannot overstate the extent to which just reading the OpenSSL source code has become miserable — in a way that both wasn’t true previously, and isn’t true in LibreSSL, BoringSSL, or AWS-LC.
Also,
> OpenSSL’s CI is exceptionally flaky, and the OpenSSL project has grown to tolerate this flakiness, which masks serious bugs. OpenSSL 3.0.4 contained a critical buffer overflow in the RSA implementation on AVX-512-capable CPUs. This bug was actually caught by CI — but because the crash only occurred when the CI runner happened to have an AVX-512 CPU (not all did), the failures were apparently dismissed as flakiness. Three years later, the project still merges code with failing tests: the day we prepared our conference slides, five of ten recent commits had failing CI checks, and the day before we delivered the talk, every single commit had failing cross-compilation builds.
Even bugs caught by CI get ignored and end up in releases.
It really is just a collection of several dozen research grade implementations for algorithms + a small handful of load bearing algorithms for the entire internet. Surprisingly, OpenSSL isn't the only critical piece of internet architecture like this.
Is it still a critical piece? I thought most everyone migrated to libressl or boringssl after the heartbleed fiasco and serious people took a look at OpenSSL and started to understand the horror show that is the codebase and also development practices that clearly have not gotten better, if not gotten even worse.
The longer I develop software, the more I realize just how awful most software engineering it.
maybe this is what blindsides most developers into disregarding the threat of AI to their jobs. We work off some idealised version of what the industry actually is which we presume AI will fail at, instead of the reality.
I remain surprised at how long people can flog horses I figured would be dead decades earlier in enterprise. Too scared to fix fundamental issues and still running off the fumes of vendor lock-in with exasperated end users.
There was an article on here 15ish years ago to the effect of "everything's broken all the time. Everyone who writes software knows it, yet we all tolerate it."
I'd love to find that sometime. Maybe it's time to ask Gemini once again to look for me.
Is this what you are looking for?
“…just think, Wally, everything that makes this thing go was supplied by the lowest bidder.”
- astronaut
Referencing the classic https://xkcd.com/2030
"I don't quite know how to put this, but our entire field is bad at what we do, and if you rely on us everyone will die"
"They say they've fixed it with something called <del>blockchain</del> AI"
"Bury it in the desert. Wear gloves"
Honestly, this is absurdly funny, but it makes me wonder whether we'll ever see Computer Science and Computer Engineering as seriously as other branches of STEM. I've been debating recently whether I should keep working in this field, after years of repeatedly seeing incompetence and complacency create disastrous effects in the real world.
Oftentimes, I wonder if the world wouldn't be a bit better without the last 10 or 15 years of computer technology.
> makes me wonder whether we'll ever see Computer Science and Computer Engineering as seriously as other branches of STEM
It's about as serious as a heart attack at this point...
We don't know how to secure C codebases by manual review. It's been well known to security engineering people for decades. And has been wider industry and academic consensus for a long time. It's like "is man-made climate change real".
(We don't know how to secure other codebases either, but C is harder since its memory safety story is like a chainsaw juggling act so code has classes of vulnerabilities that other languages don't and this eats a lot of the attention).
> history suggests otherwise
The methodology for developing and maintaining codebases like OpenSSL has changed!
> no, the code is simply beyond horrible to read, not to mention diabolically bad
OpenSSL? Parts of it definitely are, yes. It's better since they re-styled it. The old SSLeay code was truly truly awful.
Also werent a lot of deadend code removed and vulns patched into what would become LibreSSL.
Would be interesting to see if any of those found exist there.
Why do people use OpenSSL? Or any other library that forked from it
Why not start from a clean slate? Companies like Google could afford it
AWS actually has two libraries they use instead: s2n and aws-lc https://github.com/aws/s2n-tls https://github.com/aws/aws-lc
Security certifications are one reason. OpenSSL maintains a module for FIPS compliance, which includes an entire boatload of weak and broken algorithms nobody else bothers with.
Instead of everybody switching to LibreSSL, we had the Linux Foundation reward OpenSSL's incompetence with funding.
We are still suffering from that mistake, and LibreSSL is well-maintained and easier to migrate to than it ever was.
What the hell are we waiting for?
Is nobody at Debian, Fedora or Ubuntu able to step forward and set the direction?
I can read C/C++ code about as well as I can read German. Bits and pieces make sense but I definitely don’t get the subtleties.
What’s eye bleachy about this beyond regular C/C++?
For context I’m fluent in C#/javascript/ruby and generally understand structs and pointers although not confident in writing performant code with them.
For one thing, "C/C++" is not a thing. If you see C-like C++, that is C.
Part of OpenSSL's incomprehensibility is that it is not C++ and therefore lacks automatic memory management. Because it doesn't have built-in allocation and initialization, it is filled with BLAH_grunk_new and QVQ_hurrr_init. "new" and "init" semantics vary between modules because it's all ad hoc. Sometimes callees deallocate their arguments.
The only reason it needs module prefixes like BLAH and QVQ and DERP is that again it is not C++ and lacks namespaces. To readers, this is just visual noise. Sometimes a function has the same name with a different module, and compatible function signature, so it's possible to accidentally call the wrong one.
Like any powerful tool, used responsibly in the right hands it could lead to great good; in the wrong hands or used irresponsibly, it could be extremely dangerous.
Impressive.
I checked the stack overflow that was marked High, and Fil-C prevents that one.
One of the out-of-bounds writes is also definitely prevented.
It's not clear if Fil-C protects you against all of the others (Fil-C won't prevent denial of service, and that's what some of these are; Fil-C also won't help you if you accidentally didn't encrypt something, which is what another one of these bugs is about).
The one about forgetting to encrypt some bytes is marked Low Severity because it's an API that they say you're unlikely to use. Seems kinda believable but also ....... terrifying? What if someone is calling the AESNI codepath directly for reasons?
Here's the data about that one:
"Issue summary: When using the low-level OCB API directly with AES-NI or other hardware-accelerated code paths, inputs whose length is not a multiple of 16 bytes can leave the final partial block unencrypted and unauthenticated.
Impact summary: The trailing 1-15 bytes of a message may be exposed in cleartext on encryption and are not covered by the authentication tag, allowing an attacker to read or tamper with those bytes without detection."
This really is quite scary.
I suspect this year we are going to see a _lot_ more of this.
While it's good these bugs are being found and closed, the problem is two fold
1) It takes time to get the patches through distribution 2) the vast majority of projects are not well equipped to handle complex security bugs in a "reasonable" time frame.
2 is a killer. There's so much abandonware out there, either as full apps/servers or libraries. These can't ever really be patched. Previously these weren't really worth spending effort on - might have a few thousand targets of questionable value.
Now you can spin up potentially thousands of exploits against thousands of long tail services. In aggregate this is millions of targets.
And even if this case didn't exist it's going to be difficult to patch systems quickly enough. Imagine an adversary that can drip feed zero days against targets.
Not really sure how this can be solved. I guess you'd hope that the good guys can do some sort of mega patch against software quicker than bad actors.
But really as the npm debacle showed the industry is not in a good place when it comes to timely secure software delivery even without millions of potential new zero days flying around.
There’s a reason multiple projects popped up to replace OpenSSL after Heartbleed was discovered.
Let’s see them to do this on projects with a better historical track record.
It's good these bugs are being found and closed. The problems have nothing to do with AI, unless I'm missing something.
Picture the traumatized Mr. Incredible meme with the text "lowering the barrier means more exploits are found"
"We submitted detailed technical reports through their coordinated security reporting process, including complete reproduction steps, root cause analysis, and concrete patch proposals. In each case, our proposed fixes either informed or were directly adopted by the OpenSSL team."
This sounds like a great approach. Kudos!
So here we have OpenSSL, coded by humans, universally adopted by the Internet, universally deemed to be terrible code.
More evidence that "coding elegance" is irrelevant to a product's success, which bodes well for AI generated code.
If anything, this is evidence that coding elegance has value.
The unexpected part here being that AI brings specks of elegance to a terrible, inelegant codebase.
Openssl? Code elegance?
OpenSSL is a very odd codebase, it's grown by accretion, under many stewards, with several flavours of coding belief, over time from SSLEAY which Eric Young coded over 2 decades ago. It had chip-specific speedups from the days of the Intel 486.
I was part of a body which funded work to include some stuff in the code, and the way you take something like X509 and incorperate a new ASN.1 structure inside the code, to be validated against conformance requirements (so not just signing blindly over the bitstream, but understanding the ASN.1 and validating it has certain properties about what it says, like not overlapping assertions of numeric ranges encoded in it) is to invoke callouts from deep down, to perform tasks and then return state. You basically seem to have to do about a 5 layer deep callout and return. It's a massive wedding cake of dependency on itself, it personifies the xkcd diagram of "...depends on <small thing>" risks.
I'm not surprised people continue to find flaws. I would like to understand if this approach also found flaws in e.g. libsodium or other more modern crytography, or in the OpenBSD maintained libreSSL code (or whatever it is) or Peter Gutmann's code.
OpenSSL is a large target.
The fun thing to me here is that a ton of really creative thinkers are going to have access to tools (LLM agents) that allow them to test their thinking quickly. I dearly hope that this leads to a prolonged phase of pain and loss.
We made good choices when we decided the information on the internet should be delivered by simple, open protocols.
We made bad choices when we decided that the information on the internet didn't need to be verified, or verifiable.
Then we slipped on our good choices, because our bad choices let robber barons claim the verified or verifiable case.
And then we were left an explosive entropy shit-pile.
But now the new tools the new overlords are paying us to use will help us break free from their shackles, bwahahahahahahahahahahahah!!!!
I'm bearish on AI creating working software but bullish on AI doing this kind of thing
AI is definitely creating working software.
It's also leading people to submit hallucinations as security vulns in open source. I've had to deal with some of them.
Nah, if that were true there would be a lot more new software available. What's it working at is making developers feel busy, which is itself a worthwhile task.
Maybe it's available but you don't realize it.
Maybe. Sounds like a real marketing failure in that case
There may be some other limiting factors on the rate of generation of new useful software. E.g. money to market it, humans to specify it, perhaps there's enough software already...
Are you unable to create working software with frontier models?
I am, though it always takes me longer than just writing it myself because I have to fix so much (which may be a function of the kind of software I write). But more importantly the development team I support as an admin absolutely loves their agents or whatever they're being called this week and yet isn't giving me stuff that I can move into operations any faster than they were a year ago.
What industry, and what kind of software? Your assessment was generally spot on a year ago, but things have changed dramatically in the last quarter, so I'm curious how fresh this assessment is.
Well, multiple types of software. The avionics simulation software we make isn't really a candidate for AI both because of procurement requirements and the fact that as of this month (we do check periodically) no LLM really gets how to do realtime Linux processes (this may be downstream of the fact that most writing about this topic on the Web is catastrophically wrong). The stuff we can use AI on is just generic customer-facing web schlock and it sure looks like we're trading dev time for integration time for what ends up being a wash.
Why don’t you post some of the software the AI has produced for you in the last quarter? Shouldn’t be a problem since it works so well now.
What's the kind of prompt / flow to get Claude to work on those security tasks?
Same as for people. You establish what the threat model is and then have multiple approaches. For example going through all interesting operations, tracking down their inputs and data flow, then looking for edge cases along the way. If you have enough time / tokens, this becomes more of a spreadsheet/checklist exercise. The more experience you have, the better you can prioritise that list towards paths that are more likely to be disrupted.
Does anyone have any recommendations on best practice security methods? As others have said, it sounds like there may be an order of magnitude more vulnerabilities found / exploited, and I'm wondering if security such as 2FA and Password Managers will be enough? Should people be getting on board with other protections such as security keys?
"Humans + AI" ...
Without Humans, AI does nothing. Currently, at least.
Just wait until AI has its own money
Wait until AI starts using AI
How many false positives did the AI throw up?
Does it matter? They found 12 vulnerabilities. Clearly there was enough signal:noise that they could uncover these as real.
It doesn't look like they had 1 AI run for 20 minutes and then 30 humans sift through for weeks.
> It doesn't look like they had 1 AI run for 20 minutes and then 30 humans sift through for weeks.
It does, though, look like they were running their AI over the codebase for an extended period of time (not per run, but multiple runs over the period of a year)
> Does it matter?
Hell yes, false reports are the bane of the bug bounty industry.
I wonder too. Did it take many human hours to verify everything?
They don't appear to go into detail about anything except how great it is that they found the bugs, what those bugs were, and how rare it is for other people to find bugs.
I think that it would be helpful from a research point of view to know what sort of noise their AI tool is generating, but, because they appear to be trying to sell the service, they don't want you to know how many dev months you will lose chasing issues that amount to nothing.
What kind of AI does this use?
This sounds amazing but not too much info on how it worked
I don't know why you're still using OpenSSL but if you're able to switch I note that BoringSSL was not affected by any of the January 2026 OpenSSL advisories, and was also not affected by any of the advisories from 2025, and was affected by only one of the 2024 advisories. I also note that I don't see any hasty commit activity to s2n-tls that looks like a response to these advisories.
Better software is out there.
I wanted to mention WolfSSL.
I like to recommend that project because it has a very transparent vulnerabilities approach, and is in my opinion written a lot more sane than OpenSSL which is somewhat not using standard C features because it always implements everything from scratch like a kernel does.
But yeah, anyways, WolfSSL comes from the embedded area in case that's your thing.
ok, so the USP for this analyzer is: 'He hackers, if you look for zero-days we've got the tool for you!'
Pretty impressive. Whether you think AI is a bubble or not, we all benefit from these findings.
As for all the slop the Curl team has been putting up with, I suppose a fool with a tool is still a fool.
Only 12?
The title change from "AISLE" to "AI" is misleading. As the article states,
> This doesn't mean that AI can replace human expertise. The OpenSSL maintainers' deep knowledge of the codebase was essential for validating findings and developing robust fixes. But it does change the SLA of security. When autonomous discovery is paired with responsible disclosure, it collapses the time-to-remediation for the entire ecosystem.
Related:
OpenSSL: Stack buffer overflow in CMS AuthEnvelopedData parsing
Link seems to be down... But also, considering curl recently shut down its bug bounty program due to AI spam, this doesn't really inspire much confidence.