LibreSSL aims to prevent the next Heartbleed

LibreSSL aims to prevent the next Heartbleed

Stop HeartbleedThe wonderful thing about the internet is that it is full of people who do.

You’d be forgiven for not noticing them – it can sometimes feel like the information superhighway is a gridlock of people yelling, beeping their horns and not listening, but trust me, underneath all that posturing it’s crawling with doers.

This legion of achievers creates and maintains a vast mass of occasionally useful and somewhat interlocking pieces of software.

At any one time enough of the individual pieces are able to work successfully with other pieces that, like a whirlpool in a raging torrent, our online universe emerges as a stable structure amidst a boiling froth of software birth, growth, decline, death and rebirth.

Regardless of how any individual project or decision is managed the internet as a whole is an ecosystem organised along Darwinian lines.

There are as many motives for all this doing as there are individuals engaged in it but a vast amount of the really important stuff that’s being done, the creation of building blocks that others will arrange and rearrange to create their own projects, is executed by small groups of specialists who work for free and then simply give their software away.

One such team of doers is the OpenSSL team. Their eponymous encryption library, produced by a tiny team with meagre funding, was so useful, so successful and so widely used and integrated that, without any decision being taken that it should, it proliferated until it became a critical piece of internet infrastructure.

That proliferation is what made the Heartbleed bug so devastating. OpenSSL was everywhere and so was its nastiest bug.

The code’s primary defenses against bugs and flaws are a) that it’s developed by people who know what they’re doing and b) their work is open to scrutiny – anyone who wants to can look at it, poke it, test it, suggest changes or take it away and make their own version.

Of course, just because everyone can look it doesn’t mean that anyone does. It’s easy to assume that somebody else is minding the commons and when it turns out they aren’t a tragedy is sure to follow.

Most of the time, people are happy to go about their business without thinking about how the internet’s building blocks work or how they’re built. Even most of the doers are so busy doing what they’re doing that they can’t concern themselves with how every little thing they rely upon was done.

One such team were the folks at OpenBSD.

OpenBSDOpenBSD is a robust and well established computer operating system that works a lot like Unix or Linux and aims to be the #1 most secure operating system. The team behind it have reputation for being doers when it comes to security.

The OpenSSL library has been included with the OpenBSD operating system for years and it seems that during that time the OpenBSD team have been happy to trust that the OpenSSL team would make a decent fist of looking after their own.

That was before Heartbleed. That bug, it seems, was the last straw.

The credo of the doers is that when you need a bit of software to do something that it doesn’t do, you fix it yourself. What the OpenBSD team need the OpenSSL library to do is to be less broken and they’ve given up waiting for the current maintainers to fix it.

The Rubicon lay somewhere between the discovery of freelists and the unfixed bug ... That unfixed bug (still unfixed in OpenSSL even now, two weeks later, despite OpenBSD, FreeBSD, and Debian all patching it out of tree) galvanized the team. It was clear that a fork was the only solution and that working with upstream [the OpenSSL team] would be a futile effort.

Of course they can’t take the code away from the current maintainers but because the code is open source they are free to either lend a hand, write a better replacement or try to do a better job than the current owners with what’s there already.

They’ve taken the latter course of action, calling their OpenSSL fork LibreSSL. And, being the doers that they are, they’ve got busy rewriting, refactoring and flensing (and this being the OpenBSD team there’s probably been some swearing, eyeball rolling and falling out too).

Scrutiny, vitality and evolution have returned to stagnant but critically important corner of the ecosystem.