Printed from http://www.electronista.com

Critical OpenSSL 'HeartBleed' bug uncovered, affects HTTPS encryption

updated 02:41 pm EDT, Tue April 8, 2014

Security flaw in OpenSSL encryption library dates back to early 2012

A major security flaw has been discovered in the OpenSSL cryptographic software library, jeopardizing security for a large number of SSL/TLS-based transmissions. The fault, named the "Heartbleed Bug," has apparently existed since March last year but only recently uncovered, and puts at risk not only the contents of encrypted online communications, but also the SSL keys used in the transmission.

Heartbleed appears in the widely-available OpenSSL version 1.0.1, as well as the beta of 1.0.2, with the former version being used in a large proportion of servers. The affects of the bug are varied and wide-ranging, with ZDNet reporting it as allowing attackers to reveal credit card details in a transaction over HTTPS. The severity of the issue potentially allows for the SSL keys to be used to enter a server without leaving any sign of an intrusion. The Heartbleed site dedicated to the bug, created by Codenomicon Defensics, describes Heartbleed as allowing attackers to "eavesdrop on communications, steal data directly from the services and users, and to impersonate services and users."

Version 1.0.1 has a fix available, bringing it to 1.0.1g, with a similar patch for the 1.0.2 beta also being worked on. Service providers have been asked to install the bug fixes as quickly as possible.

OpenSSL versions 1.0.0 and 0.9.8 are reportedly not affected by the flaw.



By Electronista Staff
Post tools:

TAGS :

toggle

Comments

  1. The Vicar

    Junior Member

    Joined: 07-01-09

    Oh, but don't forget — open source software is inherently more secure than anything else! Because many eyes! And... and... freedom! This didn't actually happen, and it isn't serious! Stop reading at once!

  1. DiabloConQueso

    Fresh-Faced Recruit

    Joined: 06-11-08

    It sounds like you have both a bias against and a lack of understanding concerning open-source software.

  1. chas_m

    MacNN Staff

    Joined: 08-04-01

    The Vicar is prone to hyperbole, but this is the second serious security flaw found in an open-source project of late -- and in this case, it was a flaw introduced into a later version, not originally present. I think it is fair to say that everybody in the industry -- Google, Apple, MS, the open-source community, everybody -- needs to make security a bigger priority than it has been.

  1. besson3c

    Clinically Insane

    Joined: 03-03-01

    Originally Posted by DiabloConQuesoView Post

    It sounds like you have both a bias against and a lack of understanding concerning open-source software.




    Exactly, and the ignorance is particularly amusing here since it is very, very probable that Google, MS, Apple, et all use OpenSSL with their products.

  1. Lifeisabeach

    Fresh-Faced Recruit

    Joined: 05-25-10

    Chas is dead-on here. Just because open source could, in principle, have "more eyes" on it looking for bugs doesn't mean it's actually happening. Evidence of late suggests differently. As another example, look at TrueCrypt, the open source encryption software. They had to raise money to fund an independent audit because no one knows just how secure it really is. Hell, they don't even know who started the project in the first place.

  1. The Vicar

    Junior Member

    Joined: 07-01-09

    "Many eyes" is foolishness. Most people — even most developers — really aren't good at writing code. It's the deep, dark secret of the software industry: developers are mostly bad at their jobs. (The increasing pressure to outsource coding projects contributes to this by making a lot of "developers" out of people who have no clue what they're doing, but is by no means responsible for the existence of the problem.) The people who contribute to open source projects are no exception to the rule; the only difference is that there's no way to get rid of them, and so you end up with the WikiPedia problem as described by Dave Kellett ( http://www.sheldoncomics.com/archive/071213.html ), only in software. (The perfect, dictionary-definition example of exactly this problem is the 2008 Debian SSL vulnerability, but there are many, many more.) "Many eyes" is only a good or useful thing if those eyes are connected to functioning brains, and most of them aren't, just as "you have access to the code" is only a good thing if you're willing to immerse yourself in an existing codebase to track down bugs or add new features, which generally takes up a massive amount of time, and which therefore most people aren't. (In fact, most people are willing to pay developers in order to AVOID having to develop code themselves. If they weren't, the software industry basically wouldn't exist.)

    This bug, and the TLS bug from a little while back, are interesting because — in conjunction with the Apple's own TLS bug* — they illustrate that open source fails at least as badly as proprietary software. Only with proprietary software, it's easy to tell whether a patch has been installed. With open source, there's really no way of knowing, because open source projects are often suppurating piles of dependencies, sometimes even requiring outdated versions of their dependencies in order to compile. (Often for idiotic reasons; you might see OpenSSL included in a project which does something on the network not because OpenSSL is going to be used for networking, but because some dev on the other project wanted a string-formatting function from OpenSSL's logging code. The resulting project will probably not be vulnerable to OpenSSL's networking bugs... provided the developer did everything right, except that since most developers aren't actually good at development, they probably didn't.) There are also possibly firmware-type products out there which use OpenSSL, where the only way to deliver the code is a binary blob, and some of them may no longer be in active development, meaning that this bug may quietly live on essentially forever, with nobody the wiser. (And even if patches become available, it's not realistically possible to be certain whether they have actually propagated, because the major open-source OSes decouple practically every function of the OS from every other function. Having a patched version of Apache doesn't mean that you have a patched version of anything else.)

    *And yes, Apple's bug was asinine and embarrassing. Using bracketless conditionals is a notorious cause of exactly that kind of problem, and there is no good reason to permit them in code which has implications for security or overall stability. I'm reasonably sure Apple has code formatting rules which devs are forced to adopt, which makes this even worse — one of the few times when formatting rules would actually have improved the actual code performance, and they dropped the ball. (Heck, I know for a fact that there exist automated tools to turn bracketless conditionals into bracketed ones, or at least detect them. They could have had a filter on their version control system to prevent this problem from even happening — but so could the open-source folks.)

    So, to put it baldly: OpenSSL is at least as bad as Apple's proprietary code, and possibly worse, but where Apple's proprietary code makes it easy to determine whether appropriate patches are applied, the nature of open source introduces an impossible-to-overcome obstacle to ensuring that patches are both available and effective.

  1. shawnde

    Fresh-Faced Recruit

    Joined: 04-01-08

    Well, it sounds like "The Vicar" knows what he's talking about.

  1. chas_m

    MacNN Staff

    Joined: 08-04-01

    Just for the record -- to address Besson3c's concerns -- Apple (and iCloud), Google and Microsoft do not appear to use OpenSSL and are thus in the 33 percent or so of web servers not affected by the issue.

  1. Grendelmon

    Dedicated MacNNer

    Joined: 12-26-07

    Originally Posted by The VicarView Post

    "Many eyes" is foolishness. Most people — even most developers — really aren't good at writing code. It's the deep, dark secret of the software industry: developers are mostly bad at their jobs. (The increasing pressure to outsource coding projects contributes to this by making a lot of "developers" out of people who have no clue what they're doing, but is by no means responsible for the existence of the problem.) The people who contribute to open source projects are no exception to the rule; the only difference is that there's no way to get rid of them, and so you end up with the WikiPedia problem as described by Dave Kellett ( Sheldon® Comic Strip: Daily webcomic by Dave Kellett ), only in software.



    This is the dumbest thing I have ever heard of regarding modern software development.

    "Many eyes" can and usually is a huge benefit for code integrity- people's work gets checked. This is also why you have code reviews. Every organization I have ever worked for in my entire career has hired, nurtured and created stellar software developers. But they have all had stringent code practices. This is just my personal experience. However in all my exposure to the enterprise industry, I have hardly come across many "bad" developers.

    This "deep, dark secret" or whatever you claim sounds like complete bullshit to me.

  1. besson3c

    Clinically Insane

    Joined: 03-03-01

    The Vicar: I don't really understand your argument. What you wrote about the possibilities of re-bundling older versions of library dependencies and compiling against older versions of things is true, open source is often a spiderweb of libraries, code, dependencies, etc. That is both its strength and weakness.

    But this means that it is *possible* to do dubious things, perhaps even easier to do so in the open source world. It is, of course, possible to do dubious things writing any kind of code. However, where your argument breaks down, I think, is that because developers are generally morons, it is more likely you'll find bad stuff in the open source world. Is that an accurate summation?

    If so, and to simultaneously address chas_m's point, what about the other key technologies behind a project that might use OpenSSL: nGinx/lighttpd/Apache, Bind, GCC, Rails/NodeJS/PHP/Python, caching servers, PostgreSQL/MySQL, Git, Dovecot/Cyrus IMAP, Postfix/Sendmail/etc., SSH, etc.? Why would companies the size of Apple/MS/Google use many of these technologies if their assessment of them was poor, and that they put their respective companies at risk with so much at stake? These technologies don't just do little trivial things, their importance is huge. Email alone is kind of a big deal.

    You're right, more eyes in and of itself isn't better, but the potential for more of a certain calibre of eye is, for vetting purposes. I'm sure plenty of people have vetted OpenSSL over the years, but the quality of a maintained project of this nature is not static. A number of my servers are running OpenSSL 0.9.8 which is not affected by this bug, it could be that OpenSSL was in better hands back in this timeframe. The same is true of proprietary software - people come and go, resources are allocated and deallocated, fatigue and enthusiasm sets in, etc. People are human.

    The main difference between open source and proprietary software to me is that open source software has the *potential* for high quality vetting. It doesn't mean that this always happens, or that just being dubbed open source makes this happen on its own. With open source software comes pros and cons, and as well there are often pros and cons in reinventing the wheel.

    All of this is to say is that with the sorts of projects that open source development works well with (i.e. small, very specific tools and building blocks that can be pieced together to make things), the *upside* is potentially greater having things open.

    Of course, there are also all sorts of political pros and cons for making things open source too, but that is a whole other matter.

  1. wrenchy

    Forum Regular

    Joined: 11-03-09

    Originally Posted by The VicarView Post

    "Many eyes" is foolishness.



    Yes and everyone knows closed-source proprietary programs/code has NO bugs or flaws. None whatsoever.

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

Sponsor

Recent Reviews

Crucial MX100 256GB SATA-3 SSD

While the price to gigabyte ratio for magnetic platter-based hard drives can't be beat, the speed that a SSD brings to the table for a ...

Narrative Clip

With the advent of social media technology, people have been searching for new ways to share the events of their daily lives -- be it ...

Blue's Mikey Digital

Blue Microphones, a company that makes some of the most popular digital USB microphones among podcasters and musicians, has for some t ...

Sponsor

toggle

Most Commented

 
toggle

Popular News