More post-Heartbleed love/cash for OpenSSL

Filed Under: Cryptography, Featured

Here's a thought experiment.

A cryptographic crisis has broken out.

Your favourite ISP/​social network/​webmail provider/​taxation office/​server farm/​instant messaging app/​gambling portal/​video channel/​on-line game/​file sharing service [delete where inapplicable] just realised something.

For the last two years, its servers have/​may have/​may not have [delete where inapplicable] been happily sharing random fragments of your most private data with anyone who knew a special data leakage trick.

The good part is that everyone quickly fixed the problem, which was due to a bug in OpenSSL.

(One tiny compile time option, or one added line of error checking code, is enough to squash the Heartbleed bug.)

The bad part is that no-one could be sure that there weren't other problems.

What if there were?

Problems that might be harder to find, trickier to fix, and even more dangerous?

After all, if an expert cryptographic programmer could mistakely send other people's data to you, apparently without limit, right from the heart of a widely-used software library that implemented a feature that was supposed to be providing Transaction Layer Security...

...who knows what other dragons might lie yet undiscovered in more than half a million lines of source code in more than 2000 files?

So the decision facing you in this thought experiment is, "What to do?"

Take the test for yourself, by picking one of the answers below:

Now check your answer:

How did you do?

We already wrote about the trailblazers who opted for plan A.

The OpenBSD guys, who have turned their scalpels on important system software before, formed the LibreSSL project to re-work the OpenSSL source code.

And the Linux Foundation has now announced its plan B:

The Core Infrastructure Initiative is a multi-million dollar project to fund and support critical elements of the global information infrastructure. It is organized by The Linux Foundation and supported by Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, RackSpace, and VMware. CII enables technology companies to collaboratively identify and fund open source projects that are in need of assistance, while allowing the developers to continue their work under the community norms that have made open source so successful.

Lofty goals, indeed, but, at least for now, it's all about Heartbleed:

The first project under consideration to recieve funds from the Initiative will be OpenSSL, which could receive fellowship funding for key developers as well as other resources to assist the project in improving its security, enabling outside reviews, and improving responsiveness to patch requests. CII was formed as a response to the Heartbleed security crisis; however, the Initiative's efforts will not be restricted to security-related issues.

The Linux Foundation is no stranger to security calamities, having been hit by malware back in August 2011, ending up with at least some of its web properties offline until early 2012 - proof indeed that recovering from a cyberattack can be exhaustive and exhausting work.

And while the OpenBSD guys are already hard at work on a new version of OpenSSL, the Linux Foundation still has a long way to go before it can begin to disburse its promised funds.

There are a lot of future tense verbs on the CII web page, with both a steering committee and an advisory board yet to be formed:

A steering committee will be formed of CII members, developers and industry stakeholders to identify projects in need of support... An advisory board of open source developers and respected community members will help to inform the steering committee... CII will be funded by donations from individuals and members of Initiative.

Perhaps the OpenBSD guys have the most practical short-term idea: jump right in, go through all the code, and submit it to a vigorous shake-up.

After all, as the OpenSSL source itself suggests, at least in its OS X incarnation:

I've gotten OpenSSL working on the Macintosh. It's probably a bit of a hack, but it works for what I'm doing. If you don't like the way I've done it, then feel free to change what I've done. I freely admit that I've done some less-than-ideal things in my port, and if you don't like the way I've done something, then feel free to change it-- I won't be offended!

But not everyone can contribute by coding or reviewing code, so the Linux Foundation's effort to provide a platform for broader contribution is to be praised, too.

Many eyes don't make all bugs shallow - that's an urban myth - but no eyes at all leaves every bug buried somewhere!

Image of trippy background courtesy of Shutterstock.

, , , , ,

You might like

2 Responses to More post-Heartbleed love/cash for OpenSSL

  1. Skeptical · 531 days ago

    Kinda seems to me the Linux Foundation is throwing away money on OpenSSL after the comments from OpenBSD developers on their particular problems with the code base. On the other hand, OpenBSD is SUPPOSED to be auditing all the software that goes into their operating system so someone has obviously been dropping the ball there as well for either not taking care of the obvious problems, or advising users there IS a problem with the code base.

    • Paul Ducklin · 531 days ago

      Strictly speaking - the content of my article notwithstanding :-) - the Linux Foundation hasn't thrown money at anything yet, and has (if you take into account all the future tenses and subjunctives) left the door open to giving OpenSSL nothing, at least not directly.

      Who knows? Perhaps the Linux Foundation can be convinced to bankroll LibreSSL instead, or as well, on the grounds that choice is good, and the code will have been reviewed quite extensively, quite soon?

      I too have a sense of surprise that OpenBSD didn't get stuck into OpenSSL years ago, but [a] hindsight is usually 6/6 and [b] perhaps "life was simply too short" until the clear and present danger of heartbleed was spotted.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog