I think this is overkill, and add that a vulnerability that this FreeBSD jail setup would stop would be page 1 "the Internet is broken" news; hundreds of millions of dollars of transactions every day rely on there not being system integrity flaws in OpenSSL.
That doesn't make Colin crazy; it just makes this not general-purpose advice.
a vulnerability that this FreeBSD jail setup would stop would be page 1 "the Internet is broken" news
Not true. There have been potential code execution bugs in OpenSSL which have received very little attention in the past. One which comes to mind is a 'free an arbitrary pointer' bug -- in an application like Apache, if you can free the right pointer, it's not hard to get code execution. (I didn't produce an exploit for this OpenSSL bug, so it's possible that it was unexploitable for some reason -- I just saw 'bogus pointer being freed' and said 'wow, this really needs to be fixed'.)
That doesn't make Colin crazy
Thanks, I think.
it just makes this not general-purpose advice.
This is an easy step to take, and prevents a class of attacks. Why not err on the side of caution?
That doesn't make Colin crazy; it just makes this not general-purpose advice.