
LibreSSL - janvdberg
http://www.libressl.org/
======
TacticalCoder
I may have a stupid question but...

While I really enjoy Theo's talks and writings, I wonder if the fact that the
VCS is CVS ain't a security issue in itself?

It's been _really_ a long time I haven't used CVS but I remember that attempt
to introduce backdoors in projects using Git as a (D)VCS have been caught (it
was in the Linux kernel I think). IIRC some attempts were caught precisely
because it's hard to fake SHA hashes and so people can't really "mess" with
the history of a DVCS like Git: too many people noticed a critical file having
no business being modified being, well... Modified.

Once again, it was quite a while ago but I'm pretty certain that both the fact
that Git was decentralized and that Git was using cryptographically secure
hashes was touted as a "Good Thing" [TM] that helped catch the backdooring
attempts.

Ain't using CVS potentially an issue here?

~~~
gnoway
Git uses SHA-1 hashes, which have not been considered cryptographically secure
since 2005.

Git and CVS are both just tools. They each provide a server implementation,
but it's uncommon to use either of these for write access in large projects.
It's more common to wrap CVS or Git with a different frontend like HTTPS or
SSH. My guess is that the OpenBSD guys use OpenSSH.

This team is fanatical about security and process. I am completely comfortable
with them using whichever tools they want.

~~~
gnoway
The edit button is gone. I guess these expire?

My reply was not intended as an attack on Git. I use it daily and would choose
it 10 times out of 10 vs. CVS for a new project. I just think the assertion
that Git 'saved' Linux from some backdooring attempts because it's
decentralized and uses cryptographic hashes is wrong; it's not the tools that
make this happen, it's the processes around the use of these tools which do
that.

I don't know any OpenBSD developers nor do I have any inside knowledge of how
their team works, but I know from observation that they are a small team with
high standards for code style and quality. They don't just let anyone commit
code and appear to be thorough with code review. When procedural/practice
problems are identified in the industry, they are proactive about mitigating
or fixing those. They have a demonstrated track record of good releases.
Basically, I don't see any reason to question their use of CVS.

~~~
TacticalCoder
(first note that I didn't assert anything: I asked question(s) and used "IIRC"
etc.)

I found the story back and things are, IMHO, actually quite interesting... If
only because the attempt was made after someone ill-intentioned gained access
to Linux's CVS repository.

Back then Linux was still using BitKeeper (decentralized) for Linus hadn't
created Git yet (so I was not remembering things correctly here). But
apparently some people didn't like BitKeeper so there was a CVS clone of the
BitKeeper version. And it's in the CVS repo that the attempt took place (after
someone hacked his way into the server hosting the CVS repo).

Here's the story:

[https://freedom-to-tinker.com/blog/felten/the-linux-
backdoor...](https://freedom-to-tinker.com/blog/felten/the-linux-backdoor-
attempt-of-2003/)

Now even though Linus didn't choose SHA-1 for its cryptographic properties and
even if SHA-1 is not SHA-256 nor SHA-3, it still looks like an attacker
gaining access to a CVS repo would have a much easier time inserting a
backdoor than an attacker gaining access to DVCS using cryptographic hashes
(which user KMag here explained nicely).

------
sarahj
I understand the point but this comes across as immature. OpenSSL has provided
years of free software, supporting thousands of sites and applications.

Of course it has its problems, and there is nothing wrong with adding more
competition in this space.

But what this space needs now, more than ever, is professionalism and pride in
craft (by which I mean demonstrable unit test coverage, regression testing,
fuzz testing and documentation) not silly music video jabs.

~~~
alexcroox
Agreed, the tone of the page and the footer prevents me from taking these guys
seriously, especially in this area (even more so with recent events).

~~~
DonHopkins
At least they succeeded in their goal of annoying web hipsters. Why don't you
sell your fixie on craigslist and donate some money anyway, please?

~~~
DanBC
Do you think your tone will encourage anyone to donate?

~~~
DonHopkins
Well, I donated because I was glad it annoyed him, so I assume other people
might, too. ;)

------
abcd_f
> removed MacOS, Netware, OS/2, VMS and Windows build machinery

What are the plans for native Windows support? I don't know what they mean by
"The right Portability team in place", but it'd be a joke if the lib would
require CygWin or some other external portability scaffolding. And without
proper Windows support LibreSSL will simply fragment OpenSSL user base. I
guess it's still better than nothing, but it definitely won't be an OpenSSL
"replacement."

~~~
frik
maybe it's better to switch to NSS, the original SSL library developed by
Netscape (now by Mozilla, Google, etc.), that is available under better open
source licenses, is used in Firefox, (Chrome), OpenOffice, etc. and has an
optional compatible API to OpenSSL:
[http://en.wikipedia.org/wiki/Network_Security_Services](http://en.wikipedia.org/wiki/Network_Security_Services)

~~~
ProblemFactory
Curiously, the Heartbleed bug was found by the Google engineer who is working
on replacing NSS with OpenSSL in Chrome:
[https://docs.google.com/document/d/1ML11ZyyMpnAr6clIAwWrXD53...](https://docs.google.com/document/d/1ML11ZyyMpnAr6clIAwWrXD53pQgNR-
DppMYwt9XvE6s/edit?pli=1)

From the Pros & Cons table, it doesn't seem that NSS is obviously superior to
OpenSSL. Both seem to suffer from focus on extra features instead of
maintenance and reliability.

~~~
rockdoe
The reasoning there is, certainly post-Heartbleed, very scary. Their
conclusion boils down to that they want to use the system-provided OpenSSL on
Android, rather than shipping NSS.

This might be fine if you're running a Nexus device that still gets updates to
the latest Android (Nexus 4 and later?). But for everyone else, that's
effectively forcing people to get a new Android phone if they don't want to
get stuck with a horribly insecure phone.

Oh, I see the point already...

~~~
thefreeman
I mean couldn't you say the same thing if a vulnerability was found in NSS?

~~~
mercurial
No, because Android system updates are slow to come (or may never happen),
while anything coming from the Google Play store (like Chrome) is timely.

~~~
rgbrenner
In the doc, Google says NSS would need to be added to the base Android image..
so it's not going to be updated any faster than openSSL.

 _When powering WebView, Chromium on Android uses the Android system-provided
OpenSSL library - something not available to applications building with the
Android NDK (like Chrome for Android or other Chromium-based Android
applications). This helps reduce memory usage by having a single shared
library in memory. To accomplish this with NSS, NSS would have to be part of
the Android base image - which would still increase memory usage, as most
other Android (native) services would still use OpenSSL._

------
vayarajesh
Comic sans?? lol!

This page scientifically designed to annoy web hipsters. Donate now to stop
the Comic Sans and Blink Tags

~~~
zorbo
Ah yes, the kind of professionalism I've come to expect from OpenBSD. They
make decent software, but boy could they use some work in the PR department.

~~~
q3k
I'd rather have great software and shitty PR than the recent trend of
obnoxiously beautiful landing pages for “world-changing” shitty web apps.

~~~
zorbo
You can have great software without insulting half the internet and being an
immature brat. A beautiful landing page is optional.

~~~
copergi
>You can have great software without insulting half the internet

You overestimate how many web hipsters there are. And annoying them is not
"being an immature brat". It is precisely to discourage their involvement.
Because the mentality behind the web fads are precisely why the entire world
of software is layers upon layers of shit stacked on top of each other.

------
binaryapparatus
While most of us just talk, this guys actually did something of great
importance. Hell yeah they have all the rights to step on some toes and make
fun as they see fit.

I'd always salute doing stuff vs being politically correct.

------
mehrdada
One annoying thing about OpenSSL is its license. I hope The Better
Replacement™ fixes that as well (especially if its name gets to contain the
string "Libre"), and it is not going to happen by forking OpenSSL.

~~~
claudius
They are already placing completely rewritten files under ‘better’ licenses,
so the license switch might happen file-by-file over a long period of time.

~~~
gioele
Is that strategy possible at all? Are there cases tested in courts (both US
and EU) that assert that the file-by-file licence replacement really works?

~~~
mehrdada
Why wouldn't it? The author of the file will be the copyright holder by the
virtue of authoring it. If she does not get rid of it, she still remains the
copyright holder. Copyright does not switch owners purely by the virtue of
distribution with another piece of work.

IANAL.

~~~
gioele
But isn't the ISC file a "derivate work" of the Apache 1.0 and thus subject to
the same limits?

~~~
mehrdada
The copyright holders can later on relicense the work under something else.
Licensing a work under some non-exclusive license does not restrict you from
licensing it again in the future under other terms.

------
claudius
It seems that is is indeed the official site (as linked-to on
[http://www.openbsdfoundation.org/](http://www.openbsdfoundation.org/)), just
in case there are any doubts…for no reason whatsoever.

------
edent
Somewhat ironic that [https://www.libressl.org/](https://www.libressl.org/)
doesn't work, no?

~~~
anaphor
Not really considering you have to buy certs if you want people to use your
site, it doesn't have any sensitive data on it (not even source code or
binaries), and they haven't finished cleaning it up to their standards yet.

~~~
phlo
StartCom/StartSSL [1] and, to my knowledge, Comodo [2] do offer free (and
widely supported) SSL certs. Charges may apply to revoke certificates if a
private key is leaked ($25 at StartSSL, IIRC).

As for why SSL should be used everywhere: It improves security and makes
eavesdropping more expensive. For the first point, see the BEAST and CRIME
attacks. On vulnerable systems, a single unencrypted connection may be used to
reveal data from other, encrypted streams. As for the second: if only
sensitive data is encrypted, all encrypted streams automatically become
"interesting" to a potential eavesdropper. If, however, _everything_ is
encrypted, all streams become equal again. The cost of storing all
communications becomes much higher, and the ratio of cost and reward of
decrypting a single captured stream worsens (as you may either reveal
sensitive or non-sensitive data).

[1] [https://www.startssl.com/](https://www.startssl.com/)

[2] [http://www.instantssl.com/ssl-certificate-products/free-
ssl-...](http://www.instantssl.com/ssl-certificate-products/free-ssl-
certificate.html)

~~~
watwut
If you have to pay for revocation, then it is not free certificate. It is just
certificate with fees postponed. It is not the same thing. Not sure how you,
but when I buy things I do not consider only initial price, but also
additional fees.

If we want SSL used everywhere, browsers need accept self signed certificates
in less obtuse way or there need to be other way to get really free ones.

~~~
watwut
Why was this downvoted?

------
broodbucket
As someone without the Microsoft fonts using a browser that doesn't support
the blink tag, I've totally missed out on the experience :(

~~~
DonHopkins
Please, have some mercy on the rest of humanity and just donate anyway!!! I
just sent them some money. Now I can sleep at night.

------
gpcz
I've been thinking recently about Heartbleed, and I was wondering if by
writing C code to implement various network and cryptographic protocols, we're
acting as human compilers for something that might be better represented in a
more abstract format. I know there's some research on this already (the Austin
Protocol Compiler), but does anyone here know of any other serious efforts to
take the human out of the equation in terms of implementing protocols in C?

~~~
hsivonen
Rust ([http://www.rust-lang.org/](http://www.rust-lang.org/)) is a serious
effort to build a language that's close to metal like C but safe.

~~~
carussell
I think gpcz was suggesting something more along the lines of an entirely new
approach to protocol implementation, like VPRI's TCP/IP stack that Jeff Moser
describes[1], rather than just swapping out C for something else while keeping
the hand-written aspect.

> Let's say we want to build the TCP/IP stack of an operating system. A
> traditional implementation might take 10,000 lines of code. What if you
> rethought the design from the ground up? What if you could make the IP
> packet handling code look almost identical to the RFC 791 diagram which
> defines IP?

If the industry as whole could agree on this approach in a move similar to the
Dijkstra/structured programming move that happened a few decades back, the
sort of verifiable interoperability + security that Meredith Patterson and
Sergey Bratus (who you may recognize from Occupy Babel![2]) call for would be
closer to reach[3].

1\. Jeff Moser. Towards Moore's Law Software: Part 3 of 3.
[https://www.youtube.com/watch?v=UzjfeFJJseU](https://www.youtube.com/watch?v=UzjfeFJJseU)

2\. Occupy Babel!.
[http://www.cs.dartmouth.edu/~sergey/langsec/occupy/](http://www.cs.dartmouth.edu/~sergey/langsec/occupy/)

3\. Meredith Patterson. LANGSEC 2011–2016.
[https://www.youtube.com/watch?v=UzjfeFJJseU](https://www.youtube.com/watch?v=UzjfeFJJseU)

------
Xylakant
I'm curious what they mean by "free", they put it in bold caps. Since it's a
fork of OpenSSL that probably implies that the OpenSSL license remains
attached to the code at least until all of the relevant code has either been
rewritten or removed.

------
deegles
Some of the commit comments are entertaining: "Fix some serious pointer-
arithmatic-magic-number-unchecked-return eyebleed that I stumbled into here
and got stuck with. If modern society can get past selling daughters for cows,
surely we can decide to write modern C code in an "application" that is
probably 3 lines of shell/python/cgi away from talking to the internet in a
lot of places.. (This file still needs a lot more love though) "oh god yuck"
deraadt@ ok tedu@"

[http://freshbsd.org/commit/openbsd/fc55d7f9ab6fcadd0ca2f8231...](http://freshbsd.org/commit/openbsd/fc55d7f9ab6fcadd0ca2f8231f2559eace1aff53)

------
lifthrasiir
It should rename to LibibreSSL instead, so that one can link the library with
`-libressl`. Other than that, I appreciate this effort (no pun intended).

~~~
SwellJoe
Why wouldn't they just make it available for linking as "ibressl" rather than
naming the project that? LibibreSSL is unwieldy to put it mildly, and
meaningless without the context of the original name.

------
marlin
OpenBSD folks, what is your obsession with CVS????

~~~
mrweasel
Why are people so obsessed with getting the OpenBSD developers to move from
CVS? If it works for them and do what they need there's no need to move.

~~~
antocv
For security reasons.

It is possible with CVS and even SVN to insert bad code on their repository
server - but with git thats a much harder if not impossible to do.

~~~
nfoz
Can you explain how this attack works, or provide a link?

~~~
antocv
Lets assume somehow you as attacker got access to the box where their CVS
process is running.

Now you can edit a file, insert a line or change a "uid != 0" to "uid = 0",
you also edit the history of the CVS repistory to make it seem that this
change was introduced with some patch 3 years ago by Theo. Because its CVS or
SVN the history is in the server, and not on every developers computers. Next
time the devs build the tar.gz for distribution your bug is in it.

This wont be allowed with Git or Mercurial, because if you try to rewrite the
history, well good luck making a SHA-1 collision on source files. That stops
it.

~~~
nfoz
Ah that makes sense. Thanks!!

------
fab13n
With close to years of C under my belt, I believe it's a major error, today,
to write a critical cryptographic library in C.

OK, do the codecs in C if it's the only way to meet performance requirements.
But the rest must be written in a language that's reasonably analyzable
statically, and with adequate abstractions. Seriously, have you looked at the
filthy mess of leaky abstractions that OpenSSL's BIO system is? How many bugs
could be found and/or planted by a 3-letters agency in that crap? Is there
anyone who's comfortable with its #ifdef labyrinths?

Finally, I don't think you can retrofit clarity in OpenSSL any better than you
could, say, retrofit virus-resilience in a Microsoft OS that hasn't been
originally designed for hostile network environments. I used to believe
OpenSSL was made messy in order to sell consulting hours, since Snowden I have
a more paranoid hypothesis.

~~~
Pacabel
Like we always have to ask when somebody says what you have, "What's the
alternative?"

Whatever it is, it'll need to be very portable (well beyond just Linux, OS X
and Windows), and it'll presumably need a free implementation on each of those
platforms, and it'll need to be quite fast, and it'll need to support native
compilation, and it'll need to support interoperability with existing code,
and it'll need to be "safer" in some way.

At this time, there are very, very few languages that meet every one of those
criteria sufficiently. We're looking at C, or C++. Maybe Ada. But that's about
it. Rust doesn't cut it yet, and probably won't for some time. Other
candidates are lacking severely in one or more of those important areas.

C++ using modern techniques appears to be the only feasible alternative to C
today.

~~~
JasonFruit
Ada sounds like an excellent choice. Of course, it's No Fun By Design™, but
it's very, very safe.

------
EGKW
What's with the link to YouTube under "OpenSSL"? Supposed to be a joke? Or
just a hair in the link soup?

~~~
tete
The OpenBSD folks love all kinds of music:

[http://openbsd.com/lyrics.html](http://openbsd.com/lyrics.html)

------
facepalm
I'm assuming it is a parody (because of the font)?

In any case forking OpenSSL seems like a knee jerk reaction?

~~~
arcatek
"This page scientifically designed to annoy web hipsters. Donate now to stop
the Comic Sans and Blink Tags"

~~~
facepalm
Shouldn't they rather worry about making SSL secure? I don't think I like
their attitude.

~~~
rymate1234
They are, that's why they haven't spent much time on the website.

------
rurounijones
Since this is related. I have a question:

How can they know that they have not broken something in their flensing
without any automated testing since no tests is one of the big problems with
OpenSSL?

~~~
mrmincent
I believe they are compiling the openbsd packages with it, so I guess it is a
decent set to test against.

~~~
rurounijones
Ah, so compile openbsd packages against it then run the tests for those
packages.

Sort-of-integration testing. Gotchya

------
pikimeister
It's indeed a great effort. Lets just hope that it delivers what is promising
and doesn't bring other sorts of vulnerabilities due to the new
implementation/code.

~~~
sigzero
I, for one, would be extremely surprised if that happened. They are very
thorough (even considering incomplete docs as a bug to be fixed).

------
MonsieurHoho
I don't get the point of this fork. Usually when a project is forked, it means
that people want to keep the code base but disagree with the way the project
is managed.

After heartbleed everybody blamed OpenSSL's bloated code base and it became
apparent that many contributions came from volunteers with very few financing.

By forking the project, LibreSSL will keep the problematic code legacy and
split the community. Maybe I am missing something, but it looks like
opportunism here...

~~~
AlexMeesters
> After heartbleed everybody blamed OpenSSL's bloated code base <

And this is exactly what they are fixing.

OpenSSL's response was to fix heartbleed and move on, not fixing the more
broad problem of to much code cruft that led to the bug. IMHO they are right
to fork it, OpenSSL's lack of reaction to this is a raise for concern. I am
sure Theo( de Raadt) and its team can tackle this, making the code base much
much leaner, reducing the risks of bugs similar to heartbleed. And there is
really no excuse for OpenSSL to deny that.

Also i think OpenSSL has to much technical debt to be efficient in tackling a
cleanup like this.

------
euske
This is one of the best things that happened in the open source world
recently. I like their attitude towards "web hipsters" too. They're serious
folks who shut up and write _AND READ_ codes.

It's funny that they do this "donate to stop blinking" thing again. They have
been doing it for OpenSSH since 2000. cf.
[http://www.openssh.com/](http://www.openssh.com/)

------
antirez
I imagine supporting non-POSIX operating systems, or not exactly conforming
ones, to have its challenges, but is it really hard to make this stuff working
in Linux and Open/NET/Free BSD from day one? It seems to me a better approach
to start this way, without to mention that the potential developers base you
get if you support Linux ASAP can be larger.

~~~
rodgerd
OpenSSH also deliberately trashed cross-platform compatability. This makes it
amusing whenever someone flounces off to OpenBSD because they think systemd
should have been written portably.

~~~
copergi
Yeah, fuck those openbsd guys and their totally not portable openssh that you
can't run on anything but openbsd!

~~~
rodgerd
Portable OpenSSH is a seperately run project, for the hard of thinking.

------
Confusion
Has anyone seen an explanation for why this effort isn't being undertaken
_together with_ the OpenSSL team?

~~~
zorbo
I haven't seen an explanation for it, but one reasonable guess would be
momentum. If you want to get work done, you don't want to have to wade through
red-tape and bureaucracy to get it done. You don't want to work on something
with the risk of it being shot-down by the current maintainers. This is not a
criticism of the OpenSSL team, it's just a fact of life that it's often easier
to "start fresh" than to try to change an already established routine.

I also suspect that part of the reason is because OpenBSD just doesn't work
well with others.

------
chris_wot
I refer everyone to this thread -
[https://plus.google.com/u/0/+jwildeboer/posts/Tuw81zXqtcC](https://plus.google.com/u/0/+jwildeboer/posts/Tuw81zXqtcC)

"Suggesting to call the fork LibreSSL or LibreTLS just to offend everyone.
trololo﻿"

And it was so.

------
thomseddon
Does anyone have a link to repo in which it's being developed?

~~~
woodson
[http://www.openbsd.org/cgi-
bin/cvsweb/src/lib/libssl/src/](http://www.openbsd.org/cgi-
bin/cvsweb/src/lib/libssl/src/)

------
jbergstroem
Since libressl.org doesn't seem to contain this information, hopefully someone
here perhaps knows more about it: Is it possible to donate specifically to
subprojects? As a previous donator to the OpenBSD foundation, being able to do
so would hopefully aid receivers of those funds not only use time (timing) as
one way to measure the potential success of libressl.

Attitude and font choice aside, I can't help somewhat feel that one could
explore better ways to funnel interest, commitment and donations to a project
such as this; especially since it sparked as a result of heartbleed.

------
seanieb
Wouldn't the name LibreTLS be more appropriate?

~~~
TheCoreh
Or OpenTLS, to still match the OpenBSD naming convention.

------
petval
I like their tools like pfctl, raidctl. Hopefully they create something like
sslctl.

~~~
floatboth
OpenSSL is a library, not a program like pf.

~~~
alex4nder
You know, except for the 'openssl' executable that builds, and a lot of people
use.

------
cridenour
"No we don't want help making web pages, thank you."

Seems silly to turn away help.

~~~
clarry
Managing a flock of web devs and telling them all they're doing it wrong would
eat up time that could've been spent on the actual code. So it's not actually
help.

------
codecondo
I was going to ASK HN, when are we going to see a replacement for OpenSSL; you
know, the company that has much more field experience, or even understanding
of how SSL operates.

I then thought to myself, that'd be going too far..and nobody is really going
to try and make an alternative.

Oh boy..

------
slashdotaccount
[https://twitter.com/matthew_d_green/status/45696043584599654...](https://twitter.com/matthew_d_green/status/456960435845996544)

~~~
X-Istence
Now go read this:
[https://twitter.com/MiodVallat/status/457169266748715008](https://twitter.com/MiodVallat/status/457169266748715008)

And the whole thread ... and problem doesn't exist.

\---

Same thing was brought up in this HN thread:
[https://news.ycombinator.com/item?id=7604364](https://news.ycombinator.com/item?id=7604364)

------
nottrobin
Site straining under the load of HN visitors?

------
adamtj
I just donated my $100. Have you?

~~~
JDShu
No.

------
antocv
"No we dont need help with making web pages"

its just a bunch of html very simple 1990s tags and it still looks and works
much better than any html5 css3 bootstrap fanboy page Ive ever seen.

Awesomeness

~~~
adamman
You must be trolling.

The site is ugly and I'm sure they would agree. That clearly is not the focus
of their work.

~~~
scintill76
"This page scientifically designed to annoy web hipsters. Donate now to stop
the Comic Sans and Blink Tags."

They know. I find simple HTML like [http://cr.yp.to/](http://cr.yp.to/) to be
refreshing sometimes, albeit not "pretty." But with the font and blink tag
(powered by CSS), they've gone out of their way to make it a bit ugly. At
least they drew a line and don't have headache-inducing colors or animations.

------
chuckreynolds
comic sans? really?

~~~
Dosenpfand
>This page scientifically designed to annoy web hipsters. Donate now to stop
the Comic Sans and Blink Tags

------
eyan
oooh. lots of whiners here.

------
vayarajesh
They should donate to replace comic sans with this much morder version of
comic sans [http://comicneue.com/](http://comicneue.com/)

------
madospace
Dear god.. Y comic sans .. !!!!

------
halfdan
Comic Sans, really?

------
lmedinas
A fork is not the solution for world problems period.

------
DiabloD3
Comic Sans? Really?

Edit: To those downvoting, yes, I saw the footer. This doesn't excuse their
childish behavior. I will not be donating to this project if this is the level
of seriousness they have for it.

~~~
keyle
I was about to post the exact same question.

And if that's supposed to promote donations... (?!)

Ask yourself if a founder dresses as a clown to get funding.

~~~
tragic
Ask yourself which hipster start-up is going to do a comprehensive rewrite job
on OpenSSL - or, for that matter, which SV VC is going to bung a few million
green sheets into something like this (which, if we're honest, we could all do
with happening, rather than the next DOA social media start up with a
-ly/-able/-r suffix).

If these people are prepared to take this on, then they can use whatever fonts
they bloody well like. As a web hipster, I will pay them for punishing my
hubris.

Having said that, I can't seem to find a browser in which the blink tags
actually, er, blink. Did all the vendors shitcan it on the quiet? I think we
should be told.

~~~
icebraining
Firefox dumped it in version 23, and they did report that on the changelog[1].
jwz even wrote a post lamenting it[2].

[1] [https://www.mozilla.org/en-
US/firefox/23.0/releasenotes/](https://www.mozilla.org/en-
US/firefox/23.0/releasenotes/)

[2] [http://www.jwz.org/blog/2013/08/a-light-has-gone-out-on-
the-...](http://www.jwz.org/blog/2013/08/a-light-has-gone-out-on-the-web/)

~~~
tragic
That doesn't surprise me, but IE10 in IE7 compat mode in IE5 Quirks document
mode still didn't blink for me. Farewell, old friend.

(Wonder if marquee still works. EDIT: yes, it does. Thank the lord for that.)

------
mangia
Please use Comic sans font.... Oh wait !

------
mykhal
libressl.org is inaccessible via ssl - is it some kind of irony or something?

~~~
sigzero
Why would they need that for a temporary web page? And one that has no need to
be accessed via ssl? They threw together a page to give you some information
and that is all.

------
bosky101
Ironic, that this website does not use SSL.

~B

------
tete
Everyone clicked on OpenSSL yet? ;)

