That's not a panacea. OpenSSL was completely open source, and it took, what, 2-3 years for Heartbleed to be discovered and rectified? And it's a major building block of the internet.
For open source to help, people have to actually review the code.
Yea, how long was OpenSSL’s heartbleed an issue? And that was open source that was supposed to have millions of eyeballs on it. I agree, I don’t really buy that MS rewriting everything hourly and there is nothing to get from source.
Then again, I found it incredible that HeartBleed hung out in OpenSSL for as long as it did, when you'd think there'd be at least a couple of people in every security group out there reviewing each patch for new vulns.
Heartbleed is the perfect example of why critical code should be open source. It was discovered by developers who were not the original coders, and they were able to talk about it freely, essentially marketing it to create awareness.
If OpenSSL was closed-source my servers would probably still be vulnerable today.
I guess things like this just happen. How many people where involved in using and testing something as critical as openSSL ? Still, heartbleed was discovered more than 2 years after the flawed code landed in production !
Heartbleed was added to OpenSSL two years before it was reported. Some of the nasty downgrade bugs (especially around export encryption) we're probably there longer.
The full timeline doesn't make big tech companies look particularly great. Heartbleed was a bug that came in with a questionable implementation of a questionable feature. It sailed through standards bodies and OpenSSL itself. A sensible explanation is that these are underfunded, understaffed efforts.
But next, the feature went live on the servers of more or less everyone, including Google and Yahoo and Amazon. People who employ and, presumably, well-compensate many experts in security and SSL implementations. Still, the code marched on, unnoticed, undisabled, deployed. How did that happen?
And heartbleed is also than example of open source not being totally secure. It was a bug that persisted for years before it was found - and OpenSSL is open source.
It's just as foolish to blindly trust OSS. There will always be holes - the main point to OSS is not to combat these, as they will exist regardless. Rather, it is so one might know exactly what they're installing/using, without having to trust the corporation behind it.
Not that it matters. OpenSSL was already 15 years old when Heartbleed was discovered, and the horrible code that caused it remained unnoticed for two years. The idea that software maturity and "enough eyes" can overcome the glaring problems from using memory-unsafe programming languages is a fantasy.
I've contributed to OpenSSL in the past, but not regularly.
Heartbleed was partially because they hadn't fully adopted techniques like fuzzing in regular use, so when researchers started fuzzing everything, out popped heartbleed. Now OpenSSL does fuzzing on (every PR, IIRC?) The author is a bit unfair in calling the project out as if they don't do it.
There still aren't a lot of developers on it relative to the complexity of the project though. Frankly there are large parts of the codebase that are pretty intimidating to touch, like the X.509 stuff implicated here.
This is, respectfully, horseshit. OpenSSL gained (deservedly) a reputation for insecurity around the time of Heartbleed, but its governance and maintenance changed radically in the years immediately following. I would trust OpenSSL more than I would trust LibreSSL at this point. Certainly, it's one of the most aggressively surveilled security codebases on the Internet.
That's pretty brutal. One reason why Heartbleed was such a potential problem was the monoculture that tends to come when FOSS software becomes reliable and popular. Having more options out there is good, but I don't see why OpenSSL needs to go away. It had one major zero-day, then when people started paying attention to it, it got 1. a lot of attention to its security and 2. a not insignificant increase in much-needed financial support. Hopefully, we'll see more stable and well-tested TLS libraries out there, and the fact that there are now a few forks of OpenSSL is a good start.
Plus. many companies, Microsoft included, open up their source code to partners.
The openness of source code has little correlation to its security.
reply