| ▲ | nelsonic 7 hours ago |
| With all the security issues constantly being uncovered in other Operating Systems - which will only accelerate with Ai - it’s time everyone considers OpenBSD. Their decades-long security-focus is second to none. We have fully converted from Ubuntu/Debian to OpenBSD. No looking back. |
|
| ▲ | pjmlp 25 minutes ago | parent | next [-] |
| Unfortunately the hardware support isn't there for many systems. If I had to pick a BSD, it would be FreeBSD anyway. |
|
| ▲ | infinet 4 hours ago | parent | prev | next [-] |
| I tried OpenBSD recently and found it behaves very differently from other OS. The same code works on Linux/FreeBSD/Windows but has poor multi thread performance on OpenBSD, async socket stopped working after sending at high speed for few seconds. I am not saying there is anything wrong in OpenBSD, it is just different. |
| |
| ▲ | nelsonic 2 hours ago | parent | next [-] | | Is the code you ran on your OpenBSD available (e.g. on GitHub) for others to test?
Curious what async issue you faced, did you report it? Or ask for help addressing? | | | |
| ▲ | skydhash 2 hours ago | parent | prev [-] | | OpenBSD uses a Giant Lock model (simpler code) instead of the fine grained locking mechanism in Linux. And Linux has a some quirks and hacks to improve performance (instead of doing the slow, but correct thing). One example is the USB Gadget thing. |
|
|
| ▲ | maxall4 6 hours ago | parent | prev | next [-] |
| Is OpenBSD actually more secure than Linux? I have not been able to find any data to support this—only some vague opinions. |
| |
| ▲ | nelsonic 5 hours ago | parent | next [-] | | The Data: Compare the number of CVE vulnerability trends over time between
Linux: https://www.cvedetails.com/vendor/33
and
OpenBSD: https://www.cvedetails.com/vendor/97 It's not even close! It's nearly two orders of magnitude higher for Linux.
This isn't anecdotal or “vague opinion” CVEs are facts. You can ask the follow-up question: Why is that? And there are many reasons.
It could just be that Linux having more users/eyes means more bugs are surfaced ...
But you need to dig deeper to understand why OpenBSD is so much more secure,
the core team of OpenBSD proactively reviews the security of other OSes and when they learn something, they rapidly implement the feature/fix in OpenBSD. Again, read: https://en.wikipedia.org/wiki/OpenBSD_security_features
Many of the proactive security features OpenBSD has are not implemented by other OSes. And in the case of kernel-level Crypto, they won't ever be because US export restrictions. | | |
| ▲ | wartijn_ 3 hours ago | parent | next [-] | | > This isn't anecdotal or “vague opinion” CVEs are facts No they aren't, they're data. Your source shows the amount of Linux CVEs in 2024 are an order of magnitude higher than the amount of Linux CVEs in 2023. Does that mean Linux became way more insecure in 2024? You imply it does, but that's obviously not true. What happened is that Linux changed how they report CVEs [0]. Just like your source doesn't say anything useful about the difference in CVEs in Linux, it doesn't say anything about the difference in CVEs between Linux and OpenBSD. Lies, damn lies and statistics. [0] https://www.suse.com/c/linux-kernel-cve-increase-suse-explai... | | |
| ▲ | nelsonic an hour ago | parent [-] | | This announcement thread really isn’t the place to discuss or debate the data. The OP stated they couldn’t find any data to compare the relative security of Linux vs. OpenBSD. CVEs are independently, objectively verifiable and provable data. This is the dictionary definition of a verified “fact”. It’s not anyone’s opinion.
You don’t have to like it or me. Love you all. |
| |
| ▲ | tredre3 4 hours ago | parent | prev | next [-] | | > And there are many reasons. It could just be that Linux having more users/eyes means more bugs are surfaced You really brushed that one off, uh? The ratio of linux devices to openbsd is quite literally a million to one. The ratio of tech companies invested in linux to companies invested in openbsd is roughly 50,000 to 1. The ratio of professional security researchers paid to find flaws in Linux vs OpenBSD is harder to quantify at the moment, but I think we can guess a trend here. I can agree to a degree that OpenBSD takes security more seriously, and they have made very interesting design decisions to enforce their security model. But I entirely disagree that the number of "CVEs are facts" to back your opinion that it is superior. | |
| ▲ | cccbbbaaa 3 hours ago | parent | prev | next [-] | | Going by CVEs, Haiku is more secure than OpenBSD. Linux has had strong kernel-level crypto enabled by default on major distributions for years, see AF_ALG or LUKS. On the wiki page you provided, the only thing that really stands out at the kernel level is KARL, which has a dubious utility: https://isopenbsdsecu.re/mitigations/karl/ It is not even up to date: strlcpy(3) and strlcat(3) were implemented in glibc 3 years ago. | | | |
| ▲ | Tepix 5 hours ago | parent | prev [-] | | US export restrictions?
There are broad license exceptions since decades, so kernels like Linux are free distributable. Same would apply to OpenBSD. |
| |
| ▲ | tete an hour ago | parent | prev | next [-] | | Given from what Anthropic says with Mythos: Yes. | |
| ▲ | doublerabbit 5 hours ago | parent | prev | next [-] | | "Is Secure" is subjective. I would be in favour to say that out of the box OpenBSD is more secure than Linux. | | |
| ▲ | nelsonic 5 hours ago | parent [-] | | You are correct; OpenBSD is secure by default. And it's not subjective at all. The homepage of https://www.openbsd.org proudly states "Only two remote holes in the default install, in a heck of a long time!" if they didn't have the evidence to support the statement, the internet would have forced them to remove it by now. ;-) Remote (exploitable) holes are the ones we all care about. | | |
| ▲ | bombcar 3 hours ago | parent [-] | | The key (and not saying it's bad, mind you) is that the default install has very few services installed, let alone running or open. So even if Debian and OpenBSD ship the exact same web server, but Debian has it defaulted installed and on, but OpenBSD does not, then a remote exploit won't count against OpenBSD. | | |
| ▲ | Melatonic 2 hours ago | parent | next [-] | | Isn't that a good thing for certain use cases ? If you are building an appliance type thing (say a storage or networking device) then you would want something minimalist you can add only the necessary services on. And arent those the types of devices the BSD (in general) are used for ? Less attack surface always equals less potential for bugs/flaws/exploits regardless of how good red teaming tools and workflows get. Now obviously for other use cases Linux could be a much better option. | |
| ▲ | binkHN 3 hours ago | parent | prev [-] | | There was a time when Linux distributions shipped lots of things on by default; OpenBSD bucked the trend and did not. This is less of an issue nowadays. |
|
|
| |
| ▲ | 5 hours ago | parent | prev | next [-] | | [deleted] | |
| ▲ | stackghost 4 hours ago | parent | prev | next [-] | | It's not meaningfully more secure than e.g. Debian. Their claim to fame ("only two remote holes in the default install in X number of years") is definitionally only valid for the default install in its default configuration which means: no httpd, no smtpd, no unbound, etc. etc. etc. The default install isn't very useful, because it doesn't do a lot, and so "only two remote holes" or whatever isn't really saying much. For example: there are still CVEs popping up: https://nvd.nist.gov/vuln/detail/CVE-2024-11148 Linux has more CVEs because it's orders of magnitude more popular. OpenBSD has appalling performance, and more or less nobody uses it, so there just isn't a large focus on auditing and fixing it. It's a great research project, but I would not run it on my personal devices. Not because it's "insecure" but because the putative security benefits do not merit the shockingly poor performance. | | |
| ▲ | SoftTalker an hour ago | parent | next [-] | | I use it on my ~10 year old desktop as my everyday OS. Performance may be measurably worse on benchmarks, but I never notice it doing regular stuff as a user. It's fine. | |
| ▲ | irusensei 2 hours ago | parent | prev | next [-] | | > The default install isn't very useful, because it doesn't do a lot, and so "only two remote holes" or whatever isn't really saying much. Thats not really true. Comes with spamd, pf, httpd, OpenSMTPD and others. Its actually one of the open source unix-like systems that packs more functionality out of the box. Great firewall and VPN server. You can setup wireguard with just ifconfig. | | |
| ▲ | stackghost 2 hours ago | parent [-] | | Again: It comes with them on disk, but are they enabled by default? If not, then they are not covered by their "default install" boast. |
| |
| ▲ | Melatonic 2 hours ago | parent | prev [-] | | Don't most people use something FreeBSD based for production use ? I was under the impression OpenBSD was more used for testing and security research. For personal devices I'm not sure why anyone would run a BSD in the first place | | |
| ▲ | tolciho 10 minutes ago | parent | next [-] | | Easy to install and upgrade, sane defaults, good documentation, lack of waffleburgers of complexity, so I'm not sure why anyone wouldn't run OpenBSD in the first place. Granted I put Windows in the unusable bin and it's been there for decades now and sounds like it is getting worse, what passes for Mac OS X these days is not so good given that you have to disable some security thing to properly kill the annoying and disruptive notification system, among other annoyances still being fueded with, and I gave up on Linux after trying to support that waffleburger in production for a year or two. | |
| ▲ | stackghost 2 hours ago | parent | prev [-] | | OpenBSD is absolutely a research OS and that's okay. My understanding is that Netflix used to use FreeBSD to serve video, but I read somewhere they're no longer using it. Not sure how true that is. Some game consoles like the Playstation run a modified FreeBSD as their OS. |
|
| |
| ▲ | foofyter 5 hours ago | parent | prev | next [-] | | macOS is BSD roots on top of Darwin | | | |
| ▲ | tptacek 5 hours ago | parent | prev | next [-] | | No. (It's fine!) | |
| ▲ | JCattheATM 3 hours ago | parent | prev [-] | | No, not really. Linux has better options available and is significantly stronger when configured correctly. The OpenBSD approach ls largely based around eliminating bugs in the first place, but isn't as strong at limiting an attacker that successfully exploited a bug they missed or weren't responsible for. | | |
| ▲ | tete an hour ago | parent | next [-] | | Sorry but that's simply not true. There are various cases where vulnerabilities didn't affect OpenBSD due to defense in-depth in OpenBSD. OpenBSD has a pretty long history of eg. limiting attacks through compile time mitigations while making them more usable for every day use compared to specialized "high security" Linux distributions. This can also be seen in patches of third party software (in the ports (packages) system) that often have patches so the code can live with these limitations. One example of such a mitigation is W^X. Implemented in OpenBSD in 2003, copied later by Windows, Linux and the other BSDs (incl. macOS). https://en.wikipedia.org/wiki/W%5EX More recently of course pledge and unveil were also added. Also in 2003 OpenBSD was also the first mainstream (no research or test OS) that implemented strong ASLR that in 2005 was supported in Linux through third party patch sets. For a list, see here: https://www.openbsd.org/innovations.html Many things were later picked up by Linux distributions, kernel patchsets, compilers, etc. | | |
| ▲ | JCattheATM an hour ago | parent [-] | | It really is true. OpenBSD focuses on auditing. In many cases they were not affected because of mitigations, but because they were just using a different stack. OpenBSD wasn't affected by regreSSHion for example, for basically the same reason Alpine wasn't. OpenBSD didn't invent the concept behind W^X, and if you want to talk of 'copying', which I think is kind of silly personally, then PAX was first. I'm familiar with the list of OpenBSD innovations, and in turn I would point you to https://https://isopenbsdsecu.re/ for a breakdown of their claims and marketing. To this date OpenBSD doesn't have anything as simple as a proper ACL, let alone any type of MAC. They claim such systems are too complex, which is of course nonsense. It's like I said - they focus a lot on preventing an attacker gaining access, but have little available to constrain attackers who DO get access. | | |
| ▲ | binkHN 43 minutes ago | parent [-] | | > OpenBSD focuses on auditing. This is partially true; there are numerous other things that are done for mitigation outside of this. |
|
| |
| ▲ | binkHN 3 hours ago | parent | prev [-] | | > when configured correctly. These are the operative words. With OpenBSD, you get this out of the box and everything just works. With other operating systems, you have to do a lot of the legwork that's already been done for you with OpenBSD and make sure you didn't break things with your configuration. | | |
| ▲ | JCattheATM 3 hours ago | parent [-] | | > These are the operative words. These are words that when applied equally to Linux and OpenBSD, has Linux coming out ahead. > With OpenBSD, you get this out of the box and everything just works. With OpenBSD, out of the box you get a blank slate that really can't do anything, that you have to configure to do what you want, and currently can't be configured to be as secure as linux can be. |
|
|
|
|
| ▲ | fsflover 6 hours ago | parent | prev | next [-] |
| If you care about security, why not consider Qubes OS? Related discussion: https://forum.qubes-os.org/t/qubesos-vs-openbsd-security/790... |
| |
| ▲ | FuriouslyAdrift 6 hours ago | parent | next [-] | | If you really really care about security, then consider CHERI and CheriBSD https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/ | |
| ▲ | nelsonic 6 hours ago | parent | prev | next [-] | | Qubes OS uses the Linux kernel.
Without wanting to start a flame-war and with all respect to Linux, it’s not even close. See: https://en.wikipedia.org/wiki/OpenBSD_security_features | | |
| ▲ | snazz 5 hours ago | parent | next [-] | | The “kernel” in Qubes is arguably Xen rather than Linux, and that’s where the security boundaries are supposed to be defined rather than within VMs that may be running any OS. VM compartmentalization as a security mechanism is hard to compare to a more conventional Unix like OpenBSD. | | | |
| ▲ | fsflover 5 hours ago | parent | prev | next [-] | | You misunderstand the Qubes' approach to security. You isolate your workflows into separate VMs, so that security of a single VM doesn't matter. For example, my secrets are stored in a dedicated offline VM. All kernel bugs in it are just not exploitable. I open my online banking in a dedicated VM, in which nothing else is ever opened. Which attack vector do you think can be used against that? | |
| ▲ | tptacek 5 hours ago | parent | prev [-] | | https://isopenbsdsecu.re/ (This site is extremely good and has fairly recent coverage, point-by-point, of all OpenBSD's mitigations. An important subtext to take to this is that OpenBSD has a reputation for introducing mitigations that exploit developers make fun of. Some of them are great, some of them less so.) | | |
| ▲ | terry_hc 4 hours ago | parent [-] | | The slides are over 6 years old. The developers' attitudes haven't changed much, but are all of the arguments still valid? I've followed this discussion here and there over the years and it always goes like this: 1) everyone makes fun of the mitigations 2) many even outright assert they can easily defeat and exploit OpenBSD 3) nobody provides a working PoC when asked to demonstrate how insecure the OS is And somewhere in the mix there's also you and your usual blabber, also without any substantial examples of how insecure and exploitable the OS is. Always. | | |
| ▲ | tptacek 4 hours ago | parent [-] | | The site isn't the slide deck. Let's talk after you've read it? | | |
| ▲ | terry_hc 3 hours ago | parent [-] | | I have now read all of the points in the mitigations section. Just like the slides, the commentaries to the mitigations willingly assert uselessness and imply a sense of absolute insecurity, but without specific or even general examples. So I'm looking forward to your careful explanation of how insecure the whole thing is and how easily it can be dismantled. Because I really want and need to know. Let's talk. | | |
| ▲ | tptacek 3 hours ago | parent [-] | | Wait, what? No they don't. The author is an OpenBSD person and calls out several mitigations as clever and worthwhile. | | |
| ▲ | elch 2 hours ago | parent [-] | | No, the author isn't an "OpenBSD person". | | |
| ▲ | tptacek an hour ago | parent [-] | | Isn't this Joshua Stein? (I feel like I've gotten this wrong before.) | | |
| ▲ | daneel_w an hour ago | parent | next [-] | | It's not, and you have. | | |
| ▲ | tptacek an hour ago | parent [-] | | Rats! Some day I'll remember this. (I am a fan both of JCS and of the author of this page). |
| |
| ▲ | elch an hour ago | parent | prev [-] | | No, AFAIK the author is German and his nickname is stein (stone). |
|
|
|
|
|
|
|
| |
| ▲ | sunshine-o 3 hours ago | parent | prev [-] | | I was looking at that thread and honest question: how does Qubes OS deal with the binary blob issue?
I would guess it is deblobbed to a certain extend according to [0] But I couldn't find if they have a strict "no binary blob allowed" policy like OpenBSD. - [0] https://doc.qubes-os.org/en/r4.3/user/troubleshooting/pci-tr... | | |
|
|
| ▲ | ykurtov 7 hours ago | parent | prev | next [-] |
| What? How long did it take? |
| |
| ▲ | nelsonic 7 hours ago | parent [-] | | How long did what take? Learning the essentials of OpenBSD, budget 4-6hours. Switching over servers from Ubuntu, an hour for the first one then 10mins each after that. You can copy config with your favourite tools; most have ports for OpenBSD already.
If you want to learn more in-depth, read: Michael W. Lucas
Absolute OpenBSD, 2nd Edition: Unix for the Practical Paranoid. Highly recommend it as teaches many fundamentals most software engineers skip. | | |
| ▲ | reidrac 4 hours ago | parent [-] | | How many upgrades have you done so far? And how many kernel fixes? Long time ago I maintained a couple of obsd servers, and the cost in time of upgrades and the (occasional) security fixes was substantial. I still maintain a couple of servers, but if it wasn't because Debian makes it easier by automating most of it, I don't think I could do it. Yet I miss my time with obsd. I'm very interested in your experience. Edit: it was 3.6-STABLE. Things have changed since then. | | |
| ▲ | noAnswer 3 hours ago | parent | next [-] | | They have binary updates by now. No more need to download the source from CVS and compile fixes. You can update from one OS version to the next with manly only one command. | |
| ▲ | miah_ 3 hours ago | parent | prev [-] | | syspatch and sysupgrade have made things substantially easier these days. |
|
|
|
|
| ▲ | rs_rs_rs_rs_rs 7 hours ago | parent | prev [-] |
| >it’s time everyone considers OpenBSD https://x.com/ortegaalfredo/status/2055362910415671459 When your super secure feature gets defeated by a symlink maybe it's not really time to consider it... Sure, things are not better in the linux world but at least there's more eyes to fix issues there just because of the market share. |
| |
| ▲ | 866-RON-0-FEZ 7 hours ago | parent | next [-] | | Your "evidence" for him to reconsider is a sandbox "bypass" that requires you to be root to set up the environment? For my next trick I will demonstrate how to break into my own house to open the blinds by using my keys. Security researcher theatrics will never not be funny. | | |
| ▲ | gjm11 6 hours ago | parent | next [-] | | Maybe I'm misunderstanding the video, but it looks to me as if the situation is: You are root inside a sandbox. As root-in-the-sandbox, you create a symlink and this gives you the ability to escape the sandbox. (Whether this is interesting or not depends on whether anyone actually tries to use the sandbox facility in such a way as to give root-in-the-sandbox privileges to untrusted people or code. I don't know enough about OpenBSD to answer that.) | | |
| ▲ | ori_b 5 hours ago | parent | next [-] | | OpenBSD doesn't do different user accounts inside vs outside sandboxes; if you're root in the sandbox, you're root on the system. | | |
| ▲ | anthk 3 hours ago | parent [-] | | Also I tried the Dirtyfrag exploit under Bubblewrap for GNU/Linux. It lasted, but finally I got root with a simple 'su'. |
| |
| ▲ | 866-RON-0-FEZ 6 hours ago | parent | prev [-] | | So what? You're still root. You're relying on a sandbox to plug a few voids while you still effectively held keys to the kingdom before said voids were plugged. I hear this excuse daily from developers who insist on running all their docker containers as root "because we have to". If you're relying on a sandbox as your first line of defense you've already lost the war. | | |
| |
| ▲ | SmirkingRevenge 4 hours ago | parent | prev | next [-] | | The parents tone wasn't warranted, but bugs like this could be more serious if combined with privilege escalation bugs in the sandbox. Ideally, sandboxes should be like Vegas - what happens in the sandbox stays in the sandbox. (I'm just speaking hypothetically here, I'm not knowledgeable about OpenBSD or it's sandboxes) | |
| ▲ | rs_rs_rs_rs_rs 7 hours ago | parent | prev [-] | | >Your "evidence" for him to reconsider is a sandbox "bypass" that requires you to be root to set up the environment Can you help figure out where does it say unveil does not really work when root is involved? | | |
| ▲ | 866-RON-0-FEZ 6 hours ago | parent [-] | | You left a snarky comment, then paraded around a positively lame example as some sort of trophy. Here's what I can figure out: you need root to set up the environment just so. It's a don't-care. The end. | | |
| ▲ | 3form 6 hours ago | parent | next [-] | | So, a break out of chroot in a chroot jailed app would be a non-issue because I need root to set it up? | | |
| ▲ | yjftsjthsd-h 6 hours ago | parent [-] | | If you need root to set up the escape, then yes that is relatively uninteresting. Like, we know chroot can't contain root. | | |
| ▲ | 3form 5 hours ago | parent [-] | | Thanks. It was not evident from the example whether root inside of the sandbox is necessary - I assumed creating arbitrary symlinks doesn't require any particular capabilities, and there's nothing special about the locations. Though it's not clear to me now: - why was this patched then? - is the point about root that non-root wouldn't have access to passwd anyway? | | |
| ▲ | ori_b 3 hours ago | parent [-] | | OpenBSD doesn't have separate user accounts for sandboxes. These sandboxes are not linux-style containers, they're narrowed views of the full install. If you're root inside the sandbox, you're root outside it. This exploit requires you to already be root. | | |
| ▲ | 3form an hour ago | parent [-] | | But the issue of root and accessing outside of the sandbox is orthogonal, no? Even if you're logged in as XYZ, accessing XYZ's contents outside of the sandbox is still a breach and a problem. Or does this issue require actual root to manifest? | | |
| ▲ | ori_b 38 minutes ago | parent [-] | | This path was special cased used to allow restricted applications to access time zone files, which are needed for time functions. Not any symlink will do, it has to be the specific one shown in the example exploit. The place this symlink lives is owned by root. This is the same root user outside the sandbox as inside it. So, yes, you need to have root on the box to set up this exploit. |
|
|
|
|
| |
| ▲ | rs_rs_rs_rs_rs 6 hours ago | parent | prev [-] | | >Here's what I can figure out: you need root to set up the environment just so. I guess you just don't understand what unveil does. | | |
| ▲ | 866-RON-0-FEZ 6 hours ago | parent [-] | | Your arrogance is continued proof you could never comprehend the work that goes into building, releasing, and maintaining an entire OS, and your contributions will forever be limited to snarky negativity on message boards. | | |
| ▲ | rs_rs_rs_rs_rs 5 hours ago | parent [-] | | Anything on unveil and not about me? | | |
| ▲ | 866-RON-0-FEZ 4 hours ago | parent [-] | | If you think their code sucks to the point people should think twice about using it, I suggest you stop using OpenSSH immediately. Please be sure to let us know when your better, more secure replacement is ready. |
|
|
|
|
|
| |
| ▲ | ori_b 7 hours ago | parent | prev [-] | | Note that this specific symlink was special cased because sandboxed programs still need to access timezones. Also note that you would need to be root to create that special cased symlink. It's embarrassing, but less catastrophic than it looks at first glance. Running security-critical code as root is still a bad idea. |
|
