# About backdoors in OpenBSD



## -Snake- (Jun 16, 2016)

I did read about the topic, and I'm not very sure, OpenBSD has backdoors? I read people to say not use OpenBSD for this.


----------



## kpa (Jun 16, 2016)

What is your source for such claims? OpenBSD has been known for its emphasis on security for years, even to a point where they sacrifice performance for security. PF is a good example of the policy.


----------



## Cthulhux (Jun 16, 2016)

To be precise, OpenBSD has its emphasis on correctness and simplicity ("KISS"), implying more security because of maintainable code.

Also, there's no such thing as "security".


----------



## sidetone (Jun 16, 2016)

I read a long time ago that OpenBSD, even though marketed on security, wasn't as secure as NetBSD, FreeBSD, or it had some type of flaws. I couldn't be able to find the source for this anymore. It is also a questionable claim, or it's questionable what the motive is for why that was said. Or was there a slight truth to it?

The model it uses as of today, of completely reassembling new releases of the operating system, and constantly verifying code, looks like a good one. It also looks good how their page claims they had few security holes in many years. I wonder what Oko would say about it.


----------



## Cthulhux (Jun 17, 2016)

You've probably read that anti-BSD troll blog. Not relevant here.
But, to be honest, NetBSD is almost as _secure_ as OpenBSD today, at least architecture-wise.


----------



## sidetone (Jun 17, 2016)

That sounds right. It did come to mind someone who was bitter. A true security flaw, would be thinking you have security, especially where security flaws are rarest.

As for completely secure, it seems too good to be true.


----------



## shepper (Jun 17, 2016)

Cthulhux said:


> But, to be honest, NetBSD is almost as _secure_ as OpenBSD today, at least architecture-wise.



I don't believe that this is a true today as it has been in the past and I will provide the following as evidence.

NetBSD did not have a security update for OpenSSL from October 2015 to April 2016 and yet FreeBSD had multiple OpenSSL updates during the same period.  OpenSSL is in the base release for both NetBSD/FreeBSD.

OpenBSD has forked OpenSSL to LibreSSL,  removed thousands of lines deprecated code and also provided several security patches during the same period.

I'm not saying NetBSD is slacking off; I just don't think they have the manpower.


----------



## Oko (Jun 17, 2016)

-Snake- said:


> I did read about the topic, and im not very sure, Openbsd has backdoors? I read people to say not use openbsd for this.


You read it right! Don't use OpenBSD it is full of security wholes. I know of at least two remote holes in the default install, in a heck of a long time!

*@wblock@ *

It is so sad to see this kind low level posts after such a great BSDCan 2016 and all that display of comradery among various BSD projects. It makes me wonder if there is a way to enforce minimal technical competence before letting people to post here.


----------



## -Snake- (Jun 17, 2016)

I meant this:

http://www.linuxjournal.com/content/allegations-openbsd-backdoors-may-be-true


----------



## Cthulhux (Jun 17, 2016)

shepper Software versions are not architecture.


----------



## kpa (Jun 17, 2016)

That article is from 2010 so it's very much water under the bridge now. Nothing ever came out of those allegations, some "questionable" code was indeed found but it turned out to be sloppy programming and OpenBSD's code reviews were able to rectify the problems.


----------



## Deleted member 48958 (Jun 17, 2016)

-Snake- said:


> I meant this:
> 
> http://www.linuxjournal.com/content/allegations-openbsd-backdoors-may-be-true








OpenBSD is one of the most secure operating systems IMO, no matter what some GNU/Linux fanboys fangirls have written about it 6 years ago.


----------



## sidetone (Jun 17, 2016)

Actually the article says, that OpenBSD investigated the allegations and worked to clean up the code. The FBI wanting backdoors is nothing new, they tried with Apple, and Linux had/has SELinux which was largely contributed to by the NSA. Theo de Raadt was against it. That is an issue with all of opensource, but at least OpenBSD gave itself a reputation of cleaning that up.


----------



## SirDice (Jun 17, 2016)

https://cryptome.org/2012/01/0032.htm


----------



## Cthulhux (Jun 17, 2016)

ILUXA said:


> OpenBSD is one of the most secure operating systems *IMO*



I don't think opinions matter here.


----------



## -Snake- (Jun 17, 2016)

Ok, thanks for reply. I think of Linux fanboys they have exaggerated things a lot


----------



## wblock@ (Jun 17, 2016)

Seems like a good place to end this thread.


----------

