
S2n Is Now Handling 100 Percent of SSL Traffic for Amazon S3 - NeutronBoy
https://aws.amazon.com/blogs/security/s2n-is-now-handling-100-percent-of-of-ssl-traffic-for-amazon-s3/
======
luhn
One thing they don't mention is that it's built against libcrypto. They make
it seem like this replaces OpenSSL, but it really only replaces half of it
(libssl).

Still an exciting project, especially since the API looks dirt simple to use,
but it doesn't live up to the awe I felt when I, at first glance, thought they
had given a big middle finger and left OpenSSL behind entirely.

~~~
cperciva
It only replaced half of OpenSSL, but it replaces the half which has been
responsible for almost all of the worst vulnerabilities.

~~~
jlouis
Erlang has the `ssl` application which is built on top of `crypto`. The latter
uses OpenSSLs libcrypto, but ssl is written in Erlang.

Historically, whenever there is an OpenSSL vulnerability, it doesn't affect
the ssl application, and so Erlang isn't vulnerable. In short, corroboration.

------
rkeene2
Is there a FIPS 140-2 validated version of "s2n" somewhere ? I couldn't find
anything close to it on the FIPS 140-2 validated products list.

If not, how does Amazon get away with using S3 as part of GovCloud, which
purports itself to be NIST SP 800-53 compliant, one requirement of which is
NIST SP 800-53 Control SC-13 (
[https://web.nvd.nist.gov/view/800-53/Rev4/control?controlNam...](https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=SC-13)
), which says, while it does not mandate cryptography, if you do use
cryptography to satisfy any of the other controls the cryptography must be
certified to the appropriate level (classified data must use NSA-approved
cryptography, digital signatures must use FIPS-validated cryptography).

This is a base control for NIST SP 800-53, which is a requirement for FedRAMP.

~~~
apendleton
The body text is a bit more qualified than the headline:

> we have replaced OpenSSL with s2n for all internal and external SSL traffic
> in Amazon Simple Storage Service (Amazon S3) commercial regions

I suspect that "commercial regions" excludes govcloud.

~~~
rkeene2
Darn. I should have read the fine article, but I was really hopefully that
there would be a migration path off OpenSSL... RedHat has FIPS validated most
of their software, but it is expensive and slow work that someone building
from source cannot leverage, unlike OpenSSL.

------
geerlingguy
I'm surprised there are no comments yet... I haven't heard of S2n until
reading this post, but it sounds like it could potentially replace OpenSSL
usage?

~~~
ppoint
I think it's relying on libcrypto from openssl, at least that was the case
when it came out. E.g. it implements TLS/SSL protocols only, no crypto. Not
sure if that's changed and they implemented crypto as well.

~~~
frutiger
From a brief perusal of the source code[0], it still does. It makes this claim
on the `README.md` seem rather disingenuous:

> One of the key benefits to s2n is far less code surface, with approximately
> 6,000 lines of code (compared to OpenSSL’s approximately 500,000 lines).

0:
[https://github.com/awslabs/s2n/blob/master/crypto/s2n_dhe.h#...](https://github.com/awslabs/s2n/blob/master/crypto/s2n_dhe.h#L18)

------
kev009
It's two orders of magnitude less code, but I would be hesitant to say it's
more than a linear decrease in vulnerability. Rust (or OCaml in the past) seem
like a match made in heaven for solving Heartbleed and Cloudbleed type of
problems.

~~~
nickpsecurity
It's been done:

[https://github.com/mirleft/ocaml-tls](https://github.com/mirleft/ocaml-tls)

[https://usenix15.nqsb.io/](https://usenix15.nqsb.io/)

------
Robin_Message
> identifying memory leaks through fuzz testing.

Do you think that was in the original draft of the release?

