Yes, Another Massive Vulnerability Was Found In OpenSSL, But This Is Actually A Good Sign

from the five-eyes... dept

Yes, just about the time that we announced that Techdirt had shifted to 100% SSL, it came out that there was another massive flaw in OpenSSL, and we started to scramble to update our SSL (that's now done). This latest vulnerability would make man-in-the-middle attacks easier, which is a serious and significant problem, but it's a very different vulnerability than the high profile Heartbleed, that would just let people go fishing for all sorts of information on various servers. There's a good technical overview here, which indicates that the bug has actually... been around since at least 1998. So, uh, yeah, this vulnerability has been sitting out there for a long, long time.

While some will react to this with (perhaps reasonable) horror, it's worth remembering that, despite being such an integral piece of internet security infrastructure, OpenSSL has mostly been a part time project for those involved, and only recently (after Heartbleed) have efforts really been made to bump up the resources behind it and the careful security analysis of OpenSSL for vulnerabilities. As security expert Matthew Green points out, "the sudden proliferation of OpenSSL bugs is to be expected and a good thing. Like finding dirty socks during spring cleaning." In other words, there's a lot more attention being paid to OpenSSL and its security these days, and it's inevitable that vulnerabilities are going to be found. Expect more. But, in the long run, that's a good thing. The more attention there is to cleaning up such software, the better.

Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    Michael, Jun 6th, 2014 @ 12:36pm

    which indicates that the bug has actually... been around since at least 1998

    So we can assume that the NSA has been exploiting it for about 16 years now.

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Anonymous Coward, Jun 6th, 2014 @ 12:44pm

    Half Assing it all

    I work in the Tech Sector.

    I can tell you that 95% of the time ever last piece of code, project, script, or build is literally just enough to push it out and say WE ARE READY! Just enough to get by!

    Just about every organization I have ever worked for is loaded with Professionals that are really not that skilled, even in the area they work. And its hard to really fault the open source community because a lot of it is done on their own time and without just compensation!

     

    reply to this | link to this | view in thread ]

  3.  
    icon
    madasahatter (profile), Jun 6th, 2014 @ 1:04pm

    openSSL

    The good news is openSSL is getting fixed and more importantly they are pushing out patches quickly.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Anonymous Coward, Jun 6th, 2014 @ 1:08pm

    The flaw is with DTLS, so websites weren't affected. Mainly, I would think probably VPNs, and custom VoIP setups would probably be most effected. On the VoIP side of things, we already have CALEA so if LEO's want to tap your phone, they can do that easily.

    I really think the implications are sort of overblown as it would still be hard to pull this off. The good thing is that this was fixed, and it's before Mozilla launches WebRTC which relies heavily on DTLS, and holds some promise to shake things up.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Eric Hamilton, Jun 6th, 2014 @ 1:20pm

    Eric

    Well it sounds as thought there is an advantage to open source software.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Eric Hamilton, Jun 6th, 2014 @ 1:21pm

    Eric

    Well it sounds as thought there is an advantage to open source software.

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    jackn, Jun 6th, 2014 @ 1:38pm

    Re: Eric

    two in a row; and we still don't know what you're saying.

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Anonymous Coward, Jun 6th, 2014 @ 2:32pm

    I say it's time we protect our infrastructure by taking it away from amateurs and putting it in the hands of professionals!

    ... is what you'll be hearing soon.

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Anonymous Coward, Jun 6th, 2014 @ 2:38pm

    Re:

    Except that the people writing SSL are professionals; they're just professionals that mostly work for free. If companies were willing to send money to the OpenSSL dev team, we wouldn't have critical infrastructure written by a 5-person team of unpaid volunteers.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Anonymous Coward, Jun 6th, 2014 @ 3:36pm

    Re:

    There were several flaws fixed in this release. The one Mike is talking about is not the DTLS one, it's the ChangeCipherSpec one. It applies to any buggy version of OpenSSL connecting to a buggy recent version of OpenSSL.

     

    reply to this | link to this | view in thread ]

  11.  
    icon
    BernardoVerda (profile), Jun 6th, 2014 @ 3:59pm

    Re:

    If I recall correctly, Microsoft’s longest-lasting security vuln/bug went for 17 years -- plus several months to acknowledge the problem, , and actually fix it.get off their duffs.

    Flawed code seems to be an endemic, and probably intrinsic, problem -- whether written by paid "professionals" or unpaid "volunteers" (and studies back this up -- open source projects have favorable error rates compared to closed source commercial development.) But historically the volunteers appear to be generally more responsible about addressing the issues that come up, promptly and correctly.

    This might be only because the volunteers and hobbyists aren't shielded from public view by corporate curtains -- they have more to lose, personally -- and less opportunity to hide shortcomings or make excuses. Or maybe they just care more. Money doesn't seem to have been as effective a motivator for commercial software review as has been generally argued.

    Either way, code review is one of those unglamorous, tedious tasks that volunteers hobbyists don't enjoy, and commercial software houses find expensive for little obvious direct benefit. Both groups need to take it seriously. It used to be that the Microsofts of the software world didn't give such work a sufficiently high priority -- and it showed. It appears that perhaps the time has come that FOSS circles need to reassess their priorities in this regard as well, if they wish to stay ahead.

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Anonymous Coward, Jun 6th, 2014 @ 4:49pm

    Re: Re:

    It appears that perhaps the time has come that FOSS circles need to reassess their priorities in this regard as well, if they wish to stay ahead.

    Herein lies the problem: FOSS developers usually aren't attempting to stay ahead, they're attempting to solve an interesting problem and share their exploits with an appreciative audience.

    There are very few people who find code review fun or fulfilling (best case scenario: people discover your mistakes and point them out, and then someone has to patch them without introducing more issues, and nothing novel is done).

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Anonymous Coward, Jun 6th, 2014 @ 5:32pm

    I wonder if the client updating their OpenSSL software is enough to prevent the man-in-the-middle attack from happening. That way even if the server doesn't upgrade it's OpenSSL software, the client is still safe?

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Anonymous Coward, Jun 6th, 2014 @ 5:47pm

    Re: Eric

    You can say that again.

     

    reply to this | link to this | view in thread ]

  15.  
    icon
    orbitalinsertion (profile), Jun 6th, 2014 @ 6:44pm

    Re: Re: Eric

    no, you are (probably) pretending to not know what he's saying. pretty sure most others understand; at minimum the person who replied to the first post and elicited the second. which, it also seems, you pretend not to understand. probably in service of making your own point. fail.

     

    reply to this | link to this | view in thread ]

  16.  
    icon
    orbitalinsertion (profile), Jun 6th, 2014 @ 6:51pm

    Re:

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Anonymous Coward, Jun 7th, 2014 @ 12:27am

    Re: Re:

    This might be only because the volunteers and hobbyists aren't shielded from public view by corporate curtains.

    It might also have to do with the fact they can get down to fixing bugs without having to write many memos, and go through several rounds of meetings just to justify the existence of managers.

     

    reply to this | link to this | view in thread ]

  18.  
    icon
    RonKaminsky (profile), Jun 7th, 2014 @ 9:36am

    Re: Half Assing it all

    > without just compensation

    Your comment was quite insightful, until this. You obviously don't understand how open-source works. Quite a large part of the widely-used projects are developed by paid employees of interested companies, and the majority of the remainder is developed by people who are quite aware that they are not working for monetary compensation (and I would guess that most don't even expect egoboo).

    A very, very small minority GPL their stuff thinking that they'll rake something in via parallel licensing deals. A minuscule number of those, actually do (disclaimer: I know one such FOSS developer).

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    Anonymous Coward, Jun 7th, 2014 @ 9:43am

    Yes, it's a good thing *for OpenSSL*.

    However how much effort should you put to polish crap (to stay polite)? They've proven the codebase is simply horrible. And Bob Beck's presentation points out so many epic fails from the openSSL coders, that it's really not worth the effort of trying to fix.

    Might as well just move on to better software, with more responsible developers, like GnuTLS or LibreSSL.

    https://www.youtube.com/watch?v=GnBbhXBDmwU

     

    reply to this | link to this | view in thread ]

  20.  
    icon
    RonKaminsky (profile), Jun 7th, 2014 @ 10:55am

    Bad way to evaluate relative risk

    > GnuTLS

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3466 ?

    Switching libraries might be worthwhile, or possibly not, depending on how much audited code on the application side would need to be rewritten.

    All software has bugs, OpenSSL will probably get sorted out eventually.

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    Anonymous Coward, Jun 8th, 2014 @ 11:22pm

    Re: Re: Re:

    The amount of times I'vge had managers ask to hear a detailed description of the cause and fix for a bug, and you know they don't understand a word of it!

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    Anonymous Coward, Jun 9th, 2014 @ 1:49am

    Open-source FTW.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
Advertisement
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
Advertisement
Recent Stories
Advertisement
Support Techdirt - Get Great Stuff!

Close

Email This

This feature is only available to registered users. Register or sign in to use it.