Yes, Another Massive Vulnerability Was Found In OpenSSL, But This Is Actually A Good Sign
from the five-eyes... dept
Yes, just about the time that we announced that Techdirt had shifted to 100% SSL, it came out that there was another massive flaw in OpenSSL, and we started to scramble to update our SSL (that's now done). This latest vulnerability would make man-in-the-middle attacks easier, which is a serious and significant problem, but it's a very different vulnerability than the high profile Heartbleed, that would just let people go fishing for all sorts of information on various servers. There's a good technical overview here, which indicates that the bug has actually... been around since at least 1998. So, uh, yeah, this vulnerability has been sitting out there for a long, long time.While some will react to this with (perhaps reasonable) horror, it's worth remembering that, despite being such an integral piece of internet security infrastructure, OpenSSL has mostly been a part time project for those involved, and only recently (after Heartbleed) have efforts really been made to bump up the resources behind it and the careful security analysis of OpenSSL for vulnerabilities. As security expert Matthew Green points out, "the sudden proliferation of OpenSSL bugs is to be expected and a good thing. Like finding dirty socks during spring cleaning." In other words, there's a lot more attention being paid to OpenSSL and its security these days, and it's inevitable that vulnerabilities are going to be found. Expect more. But, in the long run, that's a good thing. The more attention there is to cleaning up such software, the better.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: bugs, openssl, security, vulnerabilities
Reader Comments
Subscribe: RSS
View by: Time | Thread
So we can assume that the NSA has been exploiting it for about 16 years now.
[ link to this | view in chronology ]
Half Assing it all
I can tell you that 95% of the time ever last piece of code, project, script, or build is literally just enough to push it out and say WE ARE READY! Just enough to get by!
Just about every organization I have ever worked for is loaded with Professionals that are really not that skilled, even in the area they work. And its hard to really fault the open source community because a lot of it is done on their own time and without just compensation!
[ link to this | view in chronology ]
Re: Half Assing it all
Your comment was quite insightful, until this. You obviously don't understand how open-source works. Quite a large part of the widely-used projects are developed by paid employees of interested companies, and the majority of the remainder is developed by people who are quite aware that they are not working for monetary compensation (and I would guess that most don't even expect egoboo).
A very, very small minority GPL their stuff thinking that they'll rake something in via parallel licensing deals. A minuscule number of those, actually do (disclaimer: I know one such FOSS developer).
[ link to this | view in chronology ]
openSSL
[ link to this | view in chronology ]
I really think the implications are sort of overblown as it would still be hard to pull this off. The good thing is that this was fixed, and it's before Mozilla launches WebRTC which relies heavily on DTLS, and holds some promise to shake things up.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Eric
[ link to this | view in chronology ]
Re: Eric
[ link to this | view in chronology ]
Eric
[ link to this | view in chronology ]
Re: Eric
[ link to this | view in chronology ]
Re: Re: Eric
[ link to this | view in chronology ]
... is what you'll be hearing soon.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
Flawed code seems to be an endemic, and probably intrinsic, problem -- whether written by paid "professionals" or unpaid "volunteers" (and studies back this up -- open source projects have favorable error rates compared to closed source commercial development.) But historically the volunteers appear to be generally more responsible about addressing the issues that come up, promptly and correctly.
This might be only because the volunteers and hobbyists aren't shielded from public view by corporate curtains -- they have more to lose, personally -- and less opportunity to hide shortcomings or make excuses. Or maybe they just care more. Money doesn't seem to have been as effective a motivator for commercial software review as has been generally argued.
Either way, code review is one of those unglamorous, tedious tasks that volunteers hobbyists don't enjoy, and commercial software houses find expensive for little obvious direct benefit. Both groups need to take it seriously. It used to be that the Microsofts of the software world didn't give such work a sufficiently high priority -- and it showed. It appears that perhaps the time has come that FOSS circles need to reassess their priorities in this regard as well, if they wish to stay ahead.
[ link to this | view in chronology ]
Re: Re:
Herein lies the problem: FOSS developers usually aren't attempting to stay ahead, they're attempting to solve an interesting problem and share their exploits with an appreciative audience.
There are very few people who find code review fun or fulfilling (best case scenario: people discover your mistakes and point them out, and then someone has to patch them without introducing more issues, and nothing novel is done).
[ link to this | view in chronology ]
Re: Re:
It might also have to do with the fact they can get down to fixing bugs without having to write many memos, and go through several rounds of meetings just to justify the existence of managers.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
http://www.openssl.org/news/secadv_20140605.txt
[ link to this | view in chronology ]
However how much effort should you put to polish crap (to stay polite)? They've proven the codebase is simply horrible. And Bob Beck's presentation points out so many epic fails from the openSSL coders, that it's really not worth the effort of trying to fix.
Might as well just move on to better software, with more responsible developers, like GnuTLS or LibreSSL.
https://www.youtube.com/watch?v=GnBbhXBDmwU
[ link to this | view in chronology ]
Bad way to evaluate relative risk
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3466 ?
Switching libraries might be worthwhile, or possibly not, depending on how much audited code on the application side would need to be rewritten.
All software has bugs, OpenSSL will probably get sorted out eventually.
[ link to this | view in chronology ]
[ link to this | view in chronology ]