Re: OpenSSL -> Secure Transport for libevent2
Re: OpenSSL -> Secure Transport for libevent2
- Subject: Re: OpenSSL -> Secure Transport for libevent2
- From: Jens Alfke <email@hidden>
- Date: Mon, 15 Jun 2015 12:35:15 -0700
On Jun 15, 2015, at 12:28 PM, Quinn The Eskimo! < email@hidden> wrote:
o We recommend that developers who need OpenSSL build their own copy of it and include that copy in their app. Alternatively you can use native OS X APIs, like Secure Transport.
Embedding OpenSSL seems like a bad idea unless you absolutely require some feature that only it provides, or you have so much code already using those APIs that it would be impractical to port.
By “bad idea” I mean not only that it will bloat the size of your app, but that you’re also now on the hook for keeping track of security issues in OpenSSL and updating your app ASAP if something like Heartbleed happens again. If you stop maintaining the app, you’re leaving its users vulnerable.
(I’m also not sure whether OpenSSL offers storage that’s as secure as the Keychain. If not, then you’re relying only on filesystem encryption to keep your users’ passwords or private keys safe.)
—Jens |
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden