Yes, Another Massive Vulnerability Was Found In OpenSSL, But This Is Actually A Good Sign

from the five-eyes... dept

Yes, just about the time that we announced that Techdirt had shifted to 100% SSL, it came out that there was another massive flaw in OpenSSL, and we started to scramble to update our SSL (that's now done). This latest vulnerability would make man-in-the-middle attacks easier, which is a serious and significant problem, but it's a very different vulnerability than the high profile Heartbleed, that would just let people go fishing for all sorts of information on various servers. There's a good technical overview here, which indicates that the bug has actually... been around since at least 1998. So, uh, yeah, this vulnerability has been sitting out there for a long, long time.

While some will react to this with (perhaps reasonable) horror, it's worth remembering that, despite being such an integral piece of internet security infrastructure, OpenSSL has mostly been a part time project for those involved, and only recently (after Heartbleed) have efforts really been made to bump up the resources behind it and the careful security analysis of OpenSSL for vulnerabilities. As security expert Matthew Green points out, "the sudden proliferation of OpenSSL bugs is to be expected and a good thing. Like finding dirty socks during spring cleaning." In other words, there's a lot more attention being paid to OpenSSL and its security these days, and it's inevitable that vulnerabilities are going to be found. Expect more. But, in the long run, that's a good thing. The more attention there is to cleaning up such software, the better.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: bugs, openssl, security, vulnerabilities


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Michael, 6 Jun 2014 @ 12:36pm

    which indicates that the bug has actually... been around since at least 1998

    So we can assume that the NSA has been exploiting it for about 16 years now.

    link to this | view in thread ]

  2. identicon
    Anonymous Coward, 6 Jun 2014 @ 12:44pm

    Half Assing it all

    I work in the Tech Sector.

    I can tell you that 95% of the time ever last piece of code, project, script, or build is literally just enough to push it out and say WE ARE READY! Just enough to get by!

    Just about every organization I have ever worked for is loaded with Professionals that are really not that skilled, even in the area they work. And its hard to really fault the open source community because a lot of it is done on their own time and without just compensation!

    link to this | view in thread ]

  3. icon
    madasahatter (profile), 6 Jun 2014 @ 1:04pm

    openSSL

    The good news is openSSL is getting fixed and more importantly they are pushing out patches quickly.

    link to this | view in thread ]

  4. identicon
    Anonymous Coward, 6 Jun 2014 @ 1:08pm

    The flaw is with DTLS, so websites weren't affected. Mainly, I would think probably VPNs, and custom VoIP setups would probably be most effected. On the VoIP side of things, we already have CALEA so if LEO's want to tap your phone, they can do that easily.

    I really think the implications are sort of overblown as it would still be hard to pull this off. The good thing is that this was fixed, and it's before Mozilla launches WebRTC which relies heavily on DTLS, and holds some promise to shake things up.

    link to this | view in thread ]

  5. identicon
    Eric Hamilton, 6 Jun 2014 @ 1:20pm

    Eric

    Well it sounds as thought there is an advantage to open source software.

    link to this | view in thread ]

  6. identicon
    Eric Hamilton, 6 Jun 2014 @ 1:21pm

    Eric

    Well it sounds as thought there is an advantage to open source software.

    link to this | view in thread ]

  7. identicon
    jackn, 6 Jun 2014 @ 1:38pm

    Re: Eric

    two in a row; and we still don't know what you're saying.

    link to this | view in thread ]

  8. identicon
    Anonymous Coward, 6 Jun 2014 @ 2:32pm

    I say it's time we protect our infrastructure by taking it away from amateurs and putting it in the hands of professionals!

    ... is what you'll be hearing soon.

    link to this | view in thread ]

  9. identicon
    Anonymous Coward, 6 Jun 2014 @ 2:38pm

    Re:

    Except that the people writing SSL are professionals; they're just professionals that mostly work for free. If companies were willing to send money to the OpenSSL dev team, we wouldn't have critical infrastructure written by a 5-person team of unpaid volunteers.

    link to this | view in thread ]

  10. identicon
    Anonymous Coward, 6 Jun 2014 @ 3:36pm

    Re:

    There were several flaws fixed in this release. The one Mike is talking about is not the DTLS one, it's the ChangeCipherSpec one. It applies to any buggy version of OpenSSL connecting to a buggy recent version of OpenSSL.

    link to this | view in thread ]

  11. icon
    BernardoVerda (profile), 6 Jun 2014 @ 3:59pm

    Re:

    If I recall correctly, Microsoft’s longest-lasting security vuln/bug went for 17 years -- plus several months to acknowledge the problem, , and actually fix it.get off their duffs.

    Flawed code seems to be an endemic, and probably intrinsic, problem -- whether written by paid "professionals" or unpaid "volunteers" (and studies back this up -- open source projects have favorable error rates compared to closed source commercial development.) But historically the volunteers appear to be generally more responsible about addressing the issues that come up, promptly and correctly.

    This might be only because the volunteers and hobbyists aren't shielded from public view by corporate curtains -- they have more to lose, personally -- and less opportunity to hide shortcomings or make excuses. Or maybe they just care more. Money doesn't seem to have been as effective a motivator for commercial software review as has been generally argued.

    Either way, code review is one of those unglamorous, tedious tasks that volunteers hobbyists don't enjoy, and commercial software houses find expensive for little obvious direct benefit. Both groups need to take it seriously. It used to be that the Microsofts of the software world didn't give such work a sufficiently high priority -- and it showed. It appears that perhaps the time has come that FOSS circles need to reassess their priorities in this regard as well, if they wish to stay ahead.

    link to this | view in thread ]

  12. identicon
    Anonymous Coward, 6 Jun 2014 @ 4:49pm

    Re: Re:

    It appears that perhaps the time has come that FOSS circles need to reassess their priorities in this regard as well, if they wish to stay ahead.

    Herein lies the problem: FOSS developers usually aren't attempting to stay ahead, they're attempting to solve an interesting problem and share their exploits with an appreciative audience.

    There are very few people who find code review fun or fulfilling (best case scenario: people discover your mistakes and point them out, and then someone has to patch them without introducing more issues, and nothing novel is done).

    link to this | view in thread ]

  13. identicon
    Anonymous Coward, 6 Jun 2014 @ 5:32pm

    I wonder if the client updating their OpenSSL software is enough to prevent the man-in-the-middle attack from happening. That way even if the server doesn't upgrade it's OpenSSL software, the client is still safe?

    link to this | view in thread ]

  14. identicon
    Anonymous Coward, 6 Jun 2014 @ 5:47pm

    Re: Eric

    You can say that again.

    link to this | view in thread ]

  15. icon
    orbitalinsertion (profile), 6 Jun 2014 @ 6:44pm

    Re: Re: Eric

    no, you are (probably) pretending to not know what he's saying. pretty sure most others understand; at minimum the person who replied to the first post and elicited the second. which, it also seems, you pretend not to understand. probably in service of making your own point. fail.

    link to this | view in thread ]

  16. icon
    orbitalinsertion (profile), 6 Jun 2014 @ 6:51pm

    Re:

    link to this | view in thread ]

  17. identicon
    Anonymous Coward, 7 Jun 2014 @ 12:27am

    Re: Re:

    This might be only because the volunteers and hobbyists aren't shielded from public view by corporate curtains.

    It might also have to do with the fact they can get down to fixing bugs without having to write many memos, and go through several rounds of meetings just to justify the existence of managers.

    link to this | view in thread ]

  18. icon
    RonKaminsky (profile), 7 Jun 2014 @ 9:36am

    Re: Half Assing it all

    > without just compensation

    Your comment was quite insightful, until this. You obviously don't understand how open-source works. Quite a large part of the widely-used projects are developed by paid employees of interested companies, and the majority of the remainder is developed by people who are quite aware that they are not working for monetary compensation (and I would guess that most don't even expect egoboo).

    A very, very small minority GPL their stuff thinking that they'll rake something in via parallel licensing deals. A minuscule number of those, actually do (disclaimer: I know one such FOSS developer).

    link to this | view in thread ]

  19. identicon
    Anonymous Coward, 7 Jun 2014 @ 9:43am

    Yes, it's a good thing *for OpenSSL*.

    However how much effort should you put to polish crap (to stay polite)? They've proven the codebase is simply horrible. And Bob Beck's presentation points out so many epic fails from the openSSL coders, that it's really not worth the effort of trying to fix.

    Might as well just move on to better software, with more responsible developers, like GnuTLS or LibreSSL.

    https://www.youtube.com/watch?v=GnBbhXBDmwU

    link to this | view in thread ]

  20. icon
    RonKaminsky (profile), 7 Jun 2014 @ 10:55am

    Bad way to evaluate relative risk

    > GnuTLS

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3466 ?

    Switching libraries might be worthwhile, or possibly not, depending on how much audited code on the application side would need to be rewritten.

    All software has bugs, OpenSSL will probably get sorted out eventually.

    link to this | view in thread ]

  21. identicon
    Anonymous Coward, 8 Jun 2014 @ 11:22pm

    Re: Re: Re:

    The amount of times I'vge had managers ask to hear a detailed description of the cause and fix for a bug, and you know they don't understand a word of it!

    link to this | view in thread ]

  22. identicon
    Anonymous Coward, 9 Jun 2014 @ 1:49am

    Open-source FTW.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.