On 8/19/19 5:00 AM, Thiago Macieira wrote:
To start with, there is no version of OpenSSL which is secure. Whoever
is using Qt just because it makes using SSL easy(ier) shouldn't be using
Qt anyway because they are releasing an insecure app they incorrectly
feel is secure.
That's very disingenuous.
Honestly, it is a_completely_ accurate statement. Hopefully you had
time to watch the "60 Minutes" report on "Pegasus" tonight.
https://www.cbsnews.com/video/ceo-of-israeli-spyware-maker-nso-on-fighting-t
error-khashoggi-murder-and-saudi-arabia-60-minutes/
You're going from disingenuous to actively counterproductive.
No, I'm being highly productive. I'm sorry if it is an inconvenient
truth, but SSL is not secure. Too many in here are buying the BS in the
name "Secure Socket Layer" and knee-jerk using it then claiming their
application is "secure." The truth is they haven't even attempted security.
We know OpenSSL has problems. My point is that all problems are fixed as soon
as they are known. We can't prove mathematically that there are no problems,
so the best we can do is fix as soon as possible and upgrade.
It has an architectural flaw which cannot be fixed. Flaws in OpenSource
have a history of going multiple decades before being outed to the
general public (ala the Bash bug which allowed anyone with access to a
Guest account to become root user on the machine.)
And there's no better option.
There are many better options. None of them are one and done unless you
purchase a security package of some sort, be it a private VPN or a
library which allows your app to create its own private VPN.
For the no-license-no-money you have to roll your own rotating book code
and recipe servers. No two packets in any transmission use the same key.
No consecutive packets use the same encryption. Taking it to the
extreme, none of the data is sent complete or logically grouped. At the
end of each book is the server and creds to obtain the next book. Please
don't confuse "book" with there being a requirement for using an actual
published book.
I never claimed that using OpenSSL will make your software magically secure.
No you haven't and thank you for that. Others, two in particular who
know less than nothing about most things, especially security, have made
such a claim to someone who actually asked the question. Others will
find that thread, read it, and release an insecure system.
The crypto itself has never been broken.
That would be an incorrect statement.
Quick note: before reading any patents, consult your lawyer.
Actually, I have the lawyer read the patents. <Grin>
I somehow think that 25 years of knowledge of the segment and close
relationship with very big consulting companies like KDAB and ICS would have
told them if it was enough.
So I think you're wrong. You're probably underestimating how much money they
could make off consulting alone.
No. I'm thinking your definition of "very big" needs to be upgraded.
Assuming
https://www.kdab.com/
https://www.owler.com/company/kdab
Estimated Annual Revenue
$ < 1M
I consider the one I like to deal with "small"
https://www.tripleco.com/
https://www.owler.com/company/tripleco
Estimated Annual Revenue
$16.2M
Having said that, I can say that the "consulting" services provided to
one of my clients before I joined the project (at no small fee)
attempted to use a state machine (because it was brand new) to solve a
problem which was so completely inappropriate for a state machine even a
first year IT student wouldn't have tried to use it. The code, if
printed on Charmin, still wouldn't have served a purpose.
The reason I bring that up is that yes, if that is the level of
"consulting" the "new" owners of Qt are still providing they won't earn
a plug nickle and rightly so.
PS: Electron, containing Chromium, has FAR MORE licenses inside than Qt.
Including a copy of FFMPEG, which contains multimedia codecs that may be
patented.
Yeah, but the Script Kiddies creating idiot phone apps never bother
reading them. They just hack something out and hurl it up on the Google
App store, firmly believing that Google, the largest copyright infringer
and book pirate in the known universe (google books) won't press the
issue. If they do then it is possible that __finally__ Google execs and
board of directors will go to prison where they should very well be.
PS. The Internet Archive is now attempting to take the copyright
infringement and piracy crown from Google.
http://www.interestingauthors.com/blog/publishing/controlled-digital-lending-book-piracys-new-name/
--
Roland Hughes, President
Logikal Solutions
(630)-205-1593 (cell)
http://www.theminimumyouneedtoknow.com
http://www.infiniteexposure.net
http://www.johnsmith-book.com
_______________________________________________
Interest mailing list
Interest@qt-project.org
https://lists.qt-project.org/listinfo/interest
