Yes, Another Massive Vulnerability Was Found In OpenSSL, But This Is Actually A Good Sign
from the five-eyes... dept
Yes, just about the time that we announced that Techdirt had shifted to 100% SSL, it came out that there was another massive flaw in OpenSSL, and we started to scramble to update our SSL (that’s now done). This latest vulnerability would make man-in-the-middle attacks easier, which is a serious and significant problem, but it’s a very different vulnerability than the high profile Heartbleed, that would just let people go fishing for all sorts of information on various servers. There’s a good technical overview here, which indicates that the bug has actually… been around since at least 1998. So, uh, yeah, this vulnerability has been sitting out there for a long, long time.
While some will react to this with (perhaps reasonable) horror, it’s worth remembering that, despite being such an integral piece of internet security infrastructure, OpenSSL has mostly been a part time project for those involved, and only recently (after Heartbleed) have efforts really been made to bump up the resources behind it and the careful security analysis of OpenSSL for vulnerabilities. As security expert Matthew Green points out, “the sudden proliferation of OpenSSL bugs is to be expected and a good thing. Like finding dirty socks during spring cleaning.” In other words, there’s a lot more attention being paid to OpenSSL and its security these days, and it’s inevitable that vulnerabilities are going to be found. Expect more. But, in the long run, that’s a good thing. The more attention there is to cleaning up such software, the better.
Filed Under: bugs, openssl, security, vulnerabilities
Comments on “Yes, Another Massive Vulnerability Was Found In OpenSSL, But This Is Actually A Good Sign”
which indicates that the bug has actually… been around since at least 1998
So we can assume that the NSA has been exploiting it for about 16 years now.
Half Assing it all
I work in the Tech Sector.
I can tell you that 95% of the time ever last piece of code, project, script, or build is literally just enough to push it out and say WE ARE READY! Just enough to get by!
Just about every organization I have ever worked for is loaded with Professionals that are really not that skilled, even in the area they work. And its hard to really fault the open source community because a lot of it is done on their own time and without just compensation!
Re: Half Assing it all
openSSL
The good news is openSSL is getting fixed and more importantly they are pushing out patches quickly.
The flaw is with DTLS, so websites weren’t affected. Mainly, I would think probably VPNs, and custom VoIP setups would probably be most effected. On the VoIP side of things, we already have CALEA so if LEO’s want to tap your phone, they can do that easily.
I really think the implications are sort of overblown as it would still be hard to pull this off. The good thing is that this was fixed, and it’s before Mozilla launches WebRTC which relies heavily on DTLS, and holds some promise to shake things up.
Re: Re:
There were several flaws fixed in this release. The one Mike is talking about is not the DTLS one, it’s the ChangeCipherSpec one. It applies to any buggy version of OpenSSL connecting to a buggy recent version of OpenSSL.
Eric
Well it sounds as thought there is an advantage to open source software.
Re: Eric
You can say that again.
Eric
Well it sounds as thought there is an advantage to open source software.
Re: Eric
two in a row; and we still don’t know what you’re saying.
Re: Re: Eric
no, you are (probably) pretending to not know what he’s saying. pretty sure most others understand; at minimum the person who replied to the first post and elicited the second. which, it also seems, you pretend not to understand. probably in service of making your own point. fail.
I say it’s time we protect our infrastructure by taking it away from amateurs and putting it in the hands of professionals!
… is what you’ll be hearing soon.
Re: Re:
Except that the people writing SSL are professionals; they’re just professionals that mostly work for free. If companies were willing to send money to the OpenSSL dev team, we wouldn’t have critical infrastructure written by a 5-person team of unpaid volunteers.
Re: Re:
If I recall correctly, Microsoft?s longest-lasting security vuln/bug went for 17 years — plus several months to acknowledge the problem, , and actually fix it.get off their duffs.
Flawed code seems to be an endemic, and probably intrinsic, problem — whether written by paid “professionals” or unpaid “volunteers” (and studies back this up — open source projects have favorable error rates compared to closed source commercial development.) But historically the volunteers appear to be generally more responsible about addressing the issues that come up, promptly and correctly.
This might be only because the volunteers and hobbyists aren’t shielded from public view by corporate curtains — they have more to lose, personally — and less opportunity to hide shortcomings or make excuses. Or maybe they just care more. Money doesn’t seem to have been as effective a motivator for commercial software review as has been generally argued.
Either way, code review is one of those unglamorous, tedious tasks that volunteers hobbyists don’t enjoy, and commercial software houses find expensive for little obvious direct benefit. Both groups need to take it seriously. It used to be that the Microsofts of the software world didn’t give such work a sufficiently high priority — and it showed. It appears that perhaps the time has come that FOSS circles need to reassess their priorities in this regard as well, if they wish to stay ahead.
Re: Re: Re:
It appears that perhaps the time has come that FOSS circles need to reassess their priorities in this regard as well, if they wish to stay ahead.
Herein lies the problem: FOSS developers usually aren’t attempting to stay ahead, they’re attempting to solve an interesting problem and share their exploits with an appreciative audience.
There are very few people who find code review fun or fulfilling (best case scenario: people discover your mistakes and point them out, and then someone has to patch them without introducing more issues, and nothing novel is done).
Re: Re: Re:
It might also have to do with the fact they can get down to fixing bugs without having to write many memos, and go through several rounds of meetings just to justify the existence of managers.
Re: Re: Re: Re:
The amount of times I’vge had managers ask to hear a detailed description of the cause and fix for a bug, and you know they don’t understand a word of it!
I wonder if the client updating their OpenSSL software is enough to prevent the man-in-the-middle attack from happening. That way even if the server doesn’t upgrade it’s OpenSSL software, the client is still safe?
Re: Re:
There were links.
http://www.openssl.org/news/secadv_20140605.txt
Yes, it’s a good thing *for OpenSSL*.
However how much effort should you put to polish crap (to stay polite)? They’ve proven the codebase is simply horrible. And Bob Beck’s presentation points out so many epic fails from the openSSL coders, that it’s really not worth the effort of trying to fix.
Might as well just move on to better software, with more responsible developers, like GnuTLS or LibreSSL.
https://www.youtube.com/watch?v=GnBbhXBDmwU
Re: Bad way to evaluate relative risk
Open-source FTW.