question about Open SSL versus a proprietary SSL solution
I know the advantage of open source. A bug becomes known, an army of coders moves in to patch it, life is good. However, I've read that only a few people actively work on Open SSL.
Other than Open SSL being a donation (or free), why choose it over a proprietary one ? Are the commercial SSL solutions really expensive and difficult to deploy ? I'm NOT being anti-open source here, just asking a sincere question. Thanks.
Steve
PoliticAverse
(26,366 posts)steve2470
(37,456 posts)Last edited Sun Apr 20, 2014, 09:16 PM - Edit history (1)
Doesn't Verisign etc use their own TLS ?
eta: changed subject line
PoliticAverse
(26,366 posts)Their SSL Certificate issuing business they sold to Symantec which now controls the verisign.com domain name.
Here's what they do now: https://www.verisigninc.com/
I think most places just use what comes with the Operating System and Webserver, VPN, Email
server they are using.
jrandom421
(999 posts)to all the Linux and open source fanboys he know, a simple email message: "Ha Ha!"
JShima
(1 post)Hi Steve,
There are a few advantages in a proprietary solution.
1) There is an inherient (additonal) buffer of security because the source code of the implementation is not readily downloadable. The Software provider serves as a check and balance to qualify that the recepient is an entity which can be identified. Given that the blueprints for the code are not easy available to parties that are not identifiable this limits exploit and vulnerablity experimentation.
2) The expense is minimal when you consider the impacts such as heartbleed can have to your product and customers. In most cases I would say that the price range for a commercial solution is around 5K-20K depending on the use senario and scope or utilization of support that your organization requires. Taking an Open Source implementation of OpenSSL, massaging it to your use parameters, and then maintaining it is not - (free), contrary to popular believe.
3) Many of the commercial solutions focus on size and performance. This may not be an issue for you depending on the device or implementation, but many of the connected devices for IOT/M2M simply do not have loads of memory available to waste. here there is also a cost savings which is hardware related.
4) Many of the arguments that I've seen for OpenSSL are a bit challenging to wade through. There's a good deal of theroitical input for the values of open source development, however you have identified the key point. Regardless, you have a single source small organization that is responsible to activly work on the project and maintain a distribution of OpenSSL. I'm not anti-open source either but for this particular security feature I personally feel that a commercial implementation is a smart solution.
5) Commercial software providers often license their products with indemnification and thus you have a for profit commercial entity taking responsiblity with repercussion that their continued ability to sustain revenue is at stake.
6) One of the areas that caused heartbleed to be so 'catostrophic' was the wide spread use and utilzation of OpenSSL. I would venture to say that most of the 2/3's world implementations didnt question adoption as you are doing now. Commercial solutions offer variety. Those companies that did not use OpenSSL were not effected.
JShima