March 18, 2015

The world is about to get another reminder about just how much of the Internet runs on technology maintained by a handful of coders working on a shoestring budget. OpenSSL — the software used by thousands of companies to encrypt online communications — is set to get a security makeover this week: The OpenSSL project said it plans to release new versions of its code to fix a number of security weaknesses, including some classified as “high” severity.

iheartOpenSSL is deployed at countless organizations, including at Web giants like Facebook, Google and Yahoo — as well as broadly across U.S. federal government networks. As its name suggests, OpenSSL implements Secure Sockets Layer (SSL) encryption (also known as “transport layer security” or TLS) for Web sites and associated networks, ensuring that the data cannot be read by untrusted parties.

The patch is likely to set off a mad scramble by security teams at organizations that rely on OpenSSL. That’s because security updates — particularly those added to open-source software like OpenSSL that anyone can view — give cybercriminals a road map toward finding out where the fixed vulnerabilities lie and insight into how to exploit those flaws.

Indeed, while the OpenSSL project plans to issue the updates on Thursday, Mar. 19, the organization isn’t pre-releasing any details about the fixes. Steve Marquess, a founding partner at the OpenSSL Software Foundation, said that information will only be shared in advance with the major operating system vendors.

“We’d like to let everyone know so they can be prepared and so forth, but we have been slowly driven to a pretty brutal policy of no [advance] disclosure,” Marquess said. “One of our main revenue sources is support contracts, and we don’t even give them advance notice.”

Advance notice helps not only defenders, but attackers as well. Last year, ne’er-do-wells pounced on Heartbleed, the nickname given to an extremely critical flaw in OpenSSL that allowed anyone to extract passwords, cookies and other sensitive data from servers that were running vulnerable versions of OpenSSL. This Heartbleed disclosure timeline explains a great deal about how that process unfolded in a less-than-ideal manner.

In the wake of Heartbleed, media organizations asked how such a bug — which many security experts said was a fairly obvious blunder in hindsight — could have gone undetected in the guts of the open-source code for so long. Marquess took to his blog to explain, posting an open letter requesting additional financial support for the OpenSSL project and pointing out the stark fact that so much of the Internet runs on top of software that is maintained by a tiny team with a shoestring budget.

“So the mystery is not that a few overworked volunteers missed this bug; the mystery is why it hasn’t happened more often,” said of the Heartbleed bug.

In an interview with KrebsOnSecurity, Marquess said the updates to be released tomorrow are partly the product of a spike in donations and funding the organization received in the wake of Heartbleed.

In that brief glare of publicity, the OpenSSL Foundation landed two Linux Foundation fellowships — meaning the group gained two new people who are paid for three years to work full-time on improving the security and stability of OpenSSL. Using donations and some commercial revenues, the foundation also is self-funding two additional people to maintain the code.

“We have four people working full-time on OpenSSL doing just what needs to be done, as opposed to working on stuff that brings in revenue,” Marquess said. “We have a lot more manpower resources, and one of the reasons you’re seeing all these bug and vulnerability fixes coming out now is that not only are outsiders looking for problems but we are too. “We’re also doing a major overhaul of the source code, in conjunction with what is going to be probably the biggest crypto audit ever.”


37 thoughts on “OpenSSL Patch to Plug Severe Security Holes

  1. Mike Davies

    I think it behooves folks like Tim Cook and Jeff Bezos, whoo have vast i-commerce interests, to provide some no-strings-attached help to the OpenSSL Software Foundation.

    1. Infosec Pro

      It would be very interesting to see a list of all the revenue-generating commercial products shipping with OpenSSL as an integral part of their distros. Not to mention another list of all the e-commerce and new media websites dependent on OpenSSL to secure their LAMP stack servers. Make a map of the profits derived by crowdsourcing costs and privatizing gains. Then hit the beneficiaries to help support those who support them.

    2. meh

      Surely you jest, these are the same companies that can’t hire Americans to make or support their products and they are going to give potentially hundreds of thousands of dollars for free to someone they don’t even have to? If they did this, where will they find the money to bribe our congressmen?

      1. SeymourB

        Pfft, bribing the congressmen comes later, Fortune 500 companies need to find money to pay their executives ever-increasing salaries that have no relevance to the actual performance of the company they’re supposedly tasked with running… even though they don’t actually do much besides shuffle around middle and upper management, then sacking the people who actually produce the product when suddenly they can’t get anything done because the new management is either too scared to make decisions or makes horrendously wrong decisions because they have no clue what they’re doing.

        CxOs prefer to bribe congressmen out of their own pockets – all those pesky “job killing regulations” get in the way of unfettered bribery from corporate sources.

      2. jbmartin6

        OpenSSL is widely used out side the United States.

    3. Rainer

      Actually, for iOS and OS X, Apple uses its own clean-room implenentation of SSL (which had its own share of problems in the past).
      For their servers, they use RHEL+CentOS, AFAIK and FreeBSD, Solaris (if you can trust their job-openings).
      So they use OpenSSL there.

  2. JCitizen

    Funny how open source is retrograding to tactics more often seen by proprietary systems; because they finally realized the crooks were on to them as well as all the other distros. It is just one of the hazards of open source. Well maybe it isn’t so funny after all! 🙁

  3. rwk

    Ever since I first heard about free and open source software (FOSS), I wondered how the authors made it sustainable. Brian’s article helps explain it.

  4. Erik

    Those who have some coding skills should take a look at OpenSSL’s codebase – it’s an abhorrent mess. Abhorrent messes will always be full of bugs, and many of these bugs are going to be exploitable.

    While it’s good to see some significant attention being paid to OpenSSL, I’m more encouraged by the LibreSSL project. The folks at OpenBSD decided to start with the OpenSSL codebase, delete support for obsolete operating systems (DOS, VMS, OS/2, etc – which accounted for an obscene percentage of the code), getting rid of stupid design decisions (custom memory management and entropy generation), and then refactoring what remains into a sane, organized format and applying their traditional bug-hunting skills.

    http://www.libressl.org

      1. Erik

        No, the win32 API is supported. It’s interesting to note that their last security update addressed 11 CVEs from OpenSSL. Of the 11, only 5 required coding changes – the others had been either fixed by the LibreSSL team before the bugs were announced in OpenSSL, or architectural changes had proactively eliminated them. Goes to show the value of cleaning up the codebase.

    1. jon

      I don’t believe there would be any large project whose codebase wasn’t an abhorrent mess. Simply ot possible.

    2. Tim

      Erik,

      Having worked with it a lot I have to agree that the OpenSSL source code is simply awful. Even worse than that is the documentation which is another huge security risk. It is next to impossible for a developer to know exactly which API calls are needed in order to get the required security. The approach that many resort to is looking at the source code of the library itself or the (even worse) demo apps. I’d be very surprised if many people get it right and it would be very hard for a reviewer to notice a problem.

  5. J

    Thats a shame they are dropping the code for “dead” project languages. Some revisions of the software may keep the older machines useful for the future. There are systems that need revisions to make them more secure. Some of them control “bombs” and things that cannot be retouched from the ground, and may well now be forever out of mind as the US of A dumbs down thru cutting of local education and the sciences because of the control by another political party. But that is how it works, take two steps forward, stick your head in the ground, until the stampede has passed.

  6. David B

    I think one should not under-estimate the complexity of the math, crypto, and protocols that must work correctly for a very secure and very trusted OpenSSL . Since cybercriminals now work for financial gain, I’d personally make a donation of $20 to the Linux Foundation, earmarked for the OpenSSL Foundation or the Linux Foundation-related Core Infrastructure Initiative.

  7. Isaac

    After reading this article I went to OpenSSL’s website and made a donation in a show of appreciation of the upcoming update and the work they do. If any individuals or companies feel compelled to do the same here’s a link:

    http://openssl.org/support/donations.html

    1. David B

      That has inspired me. I’m pledging $20 to the OpenSSL Foundation.

      David Bernier

  8. PC.tech

    As of this month, I (wrongly) thought that’s why we were doing all these M*586/7y-6yu!F M$ updates to TSL to get -OFF- SSL…
    STOP dragging the feet … and make-up-your-minds.

    .

    1. Steve Yarlly

      The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) AND TRANSPORT LAYER SECURITY (TLS) PROTOCOLS.
      Read before you speak.

  9. Kriston

    This is another reason why we should consider Mozilla NSS and forget about OpenSSL.

  10. W.C. Fields

    Meh, no surprise here, in fact the JΞSTΞR ✪ ACTUAL™ pointed this one out the other day. he is the interwebs manager. i was waiting for you to post about this Brian, you and him should correspond about things, he is a wealth of knowledge about what you are posting, he will open your eyes. can’t tell you who he is or where he is, but I’m pretty sure he’s been reading your blog. he’s pretty much everywhere.

  11. JeffP

    Shoestring budgets are the norm here. Think of applications like sudo, etc. Here’s a quote from openssh.com.

    Please take note of our Who uses it page, which list just some of the vendors who incorporate OpenSSH into their own products — as a critically important security / access feature — instead of writing their own SSH implementation or purchasing one from another vendor. This list specifically includes companies like NetApp, NETFLIX, EMC, Juniper, Cisco, Apple, Red Hat, and Novell; but probably includes almost all router, switch or unix-like operating system vendors. In the 10 years since the inception of the OpenSSH project, these companies have contributed not even a dime of thanks in support of the OpenSSH project (despite numerous requests).

  12. Andy

    And even though there’s vulnerabilities, OpenSSL way better than any proprietary stuff on the market.

    1. bk

      No, it’s not. I’ve been in the source for OpenSSL and several proprietary libraries. It’s not the best, it’s just free. That’s not meant as a put-down of the stressed maintainers, but it is meant as a putdown of the high-profit companies who settle for free instead of improving the quality.

  13. PC.tech

    @ Steve Yarlly:

    I can read, wise guy. I also find nothing there that shows any specifics on TSL updates that are referenceable. If you can, please show the reference URL.

    .

  14. Quinn

    Just another example of the “free” internet resources companies faulty business plan ~ give it away & beg for donations.
    Welcome to the real world. Charge a reasonable fee for your services, & stop believing in the “free” dream.
    Make yourself a nonprofit organization if you want to go down the “free” path.
    & that would still be hard. People pay for what they have to & love getting something “free” even though nothing is.

  15. Coop

    Call up Darl McBride… He’ll go after everyone for money like he did over at SCO. Heck, maybe he can even get IBM to pay up!!! Hee Hee Hee

  16. David

    I just went to various sites that I pay bills at including a major bank and my chrome browser said everyone of them had obsolete encryption. I don’t how long its been like that cause I just looked at the lock icon in the address bar today after reading this article out of curiosity.

      1. David

        Thanks Ryan. I really am not good at understanding things that are too technically written but is it basically saying not to worry about it? Its just a chrome browser thing?

        1. SeymourB

          As a general rule of thumb, if you’re using Chrome, and you see or have a problem, then it’s a Chrome browser thing.

          Google has heard of this thing called interoperability and didn’t care much for it. Chrome is really designed to work with Google websites. Its compatibility with other websites is incidental and not part of its design goals.

          1. NaN

            Oh my lord. Ive havent seen such naivety in years.. had to leave a comment. Let me get thid straight…. as a general rule if you have an issue in chrome its chromes fault? You sir should have yourself checked. I think you got a case of i dont know jack.

            1. SeymourB

              Ah, the naivete of users of the Google botnet.

              So you think Google is paying people to distribute Chrome out of the goodness of their hearts? That it only works reliably with Google websites because Google websites are the only correctly written websites on the planet? That they’re not incrementing versions so that nobody besides Google can support a target that moves that quickly?

              I think you need to stop worshiping at the altar of Google (and Facebook, etc.) my good man and get yourself a healthy dose of skepticism. Google is not your friend.

Comments are closed.