Yes, Another Massive Vulnerability Was Found In OpenSSL, But This Is Actually A Good Sign

from the five-eyes... dept

Yes, just about the time that we announced that Techdirt had shifted to 100% SSL, it came out that there was another massive flaw in OpenSSL, and we started to scramble to update our SSL (that’s now done). This latest vulnerability would make man-in-the-middle attacks easier, which is a serious and significant problem, but it’s a very different vulnerability than the high profile Heartbleed, that would just let people go fishing for all sorts of information on various servers. There’s a good technical overview here, which indicates that the bug has actually… been around since at least 1998. So, uh, yeah, this vulnerability has been sitting out there for a long, long time.

While some will react to this with (perhaps reasonable) horror, it’s worth remembering that, despite being such an integral piece of internet security infrastructure, OpenSSL has mostly been a part time project for those involved, and only recently (after Heartbleed) have efforts really been made to bump up the resources behind it and the careful security analysis of OpenSSL for vulnerabilities. As security expert Matthew Green points out, “the sudden proliferation of OpenSSL bugs is to be expected and a good thing. Like finding dirty socks during spring cleaning.” In other words, there’s a lot more attention being paid to OpenSSL and its security these days, and it’s inevitable that vulnerabilities are going to be found. Expect more. But, in the long run, that’s a good thing. The more attention there is to cleaning up such software, the better.

Filed Under: , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Yes, Another Massive Vulnerability Was Found In OpenSSL, But This Is Actually A Good Sign”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Half Assing it all

I work in the Tech Sector.

I can tell you that 95% of the time ever last piece of code, project, script, or build is literally just enough to push it out and say WE ARE READY! Just enough to get by!

Just about every organization I have ever worked for is loaded with Professionals that are really not that skilled, even in the area they work. And its hard to really fault the open source community because a lot of it is done on their own time and without just compensation!

RonKaminsky (profile) says:

Re: Half Assing it all

without just compensation

Your comment was quite insightful, until this. You obviously don’t understand how open-source works. Quite a large part of the widely-used projects are developed by paid employees of interested companies, and the majority of the remainder is developed by people who are quite aware that they are not working for monetary compensation (and I would guess that most don’t even expect egoboo).

A very, very small minority GPL their stuff thinking that they’ll rake something in via parallel licensing deals. A minuscule number of those, actually do (disclaimer: I know one such FOSS developer).

Anonymous Coward says:

The flaw is with DTLS, so websites weren’t affected. Mainly, I would think probably VPNs, and custom VoIP setups would probably be most effected. On the VoIP side of things, we already have CALEA so if LEO’s want to tap your phone, they can do that easily.

I really think the implications are sort of overblown as it would still be hard to pull this off. The good thing is that this was fixed, and it’s before Mozilla launches WebRTC which relies heavily on DTLS, and holds some promise to shake things up.

BernardoVerda says:

Re: Re:

If I recall correctly, Microsoft?s longest-lasting security vuln/bug went for 17 years — plus several months to acknowledge the problem, , and actually fix it.get off their duffs.

Flawed code seems to be an endemic, and probably intrinsic, problem — whether written by paid “professionals” or unpaid “volunteers” (and studies back this up — open source projects have favorable error rates compared to closed source commercial development.) But historically the volunteers appear to be generally more responsible about addressing the issues that come up, promptly and correctly.

This might be only because the volunteers and hobbyists aren’t shielded from public view by corporate curtains — they have more to lose, personally — and less opportunity to hide shortcomings or make excuses. Or maybe they just care more. Money doesn’t seem to have been as effective a motivator for commercial software review as has been generally argued.

Either way, code review is one of those unglamorous, tedious tasks that volunteers hobbyists don’t enjoy, and commercial software houses find expensive for little obvious direct benefit. Both groups need to take it seriously. It used to be that the Microsofts of the software world didn’t give such work a sufficiently high priority — and it showed. It appears that perhaps the time has come that FOSS circles need to reassess their priorities in this regard as well, if they wish to stay ahead.

Anonymous Coward says:

Re: Re: Re:

It appears that perhaps the time has come that FOSS circles need to reassess their priorities in this regard as well, if they wish to stay ahead.

Herein lies the problem: FOSS developers usually aren’t attempting to stay ahead, they’re attempting to solve an interesting problem and share their exploits with an appreciative audience.

There are very few people who find code review fun or fulfilling (best case scenario: people discover your mistakes and point them out, and then someone has to patch them without introducing more issues, and nothing novel is done).

Anonymous Coward says:

Re: Re: Re:

This might be only because the volunteers and hobbyists aren’t shielded from public view by corporate curtains.

It might also have to do with the fact they can get down to fixing bugs without having to write many memos, and go through several rounds of meetings just to justify the existence of managers.

Anonymous Coward says:

Yes, it’s a good thing *for OpenSSL*.

However how much effort should you put to polish crap (to stay polite)? They’ve proven the codebase is simply horrible. And Bob Beck’s presentation points out so many epic fails from the openSSL coders, that it’s really not worth the effort of trying to fix.

Might as well just move on to better software, with more responsible developers, like GnuTLS or LibreSSL.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...