25 Comments

Summary:

Does the Heartbleed hubbub mean we should re-consider use of open-source software? Probably not, but it’s worth discussing.

Cyber Criminal photo

One of the benefits often cited for the use of open-source software is that because it is so widely available and open to review by developers, any security flaws will be caught sooner than with closed, proprietary systems. This week’s near-panic around the Heartbleed flaw in OpenSSL open-source encryption software, calls that contention into question. When you have internet security czars tell people to “stay off the internet,” there’s a problem.

The vulnerability, which afflicted popular web sites and networking gear from Cisco and Juniper, has been around for more than two years but was brought to light by researchers at Google and Codenomicon early this week. That’s a long time.

But the German programmer who claimed responsibility for contributing the flawed code in late 2011 told The Guardian that he, not the open source model is to blame. Robin Seggelemann said his update did what it was supposed to do — enable the “Heartbeat” feature in OpenSSL — but also accidentally created the vulnerability that caused all the hubbub.

Seggelemann said he “wrote the code and missed the necessary validation by an oversight. Unfortunately, this mistake also slipped through the review process and therefore made its way into the released version.”

So why did the resulting vulnerability stay under the radar for so long?  Because, in his view, OpenSSL, while widely deployed, is also under-funded. OpenSSL is “definitely under-resourced for its wide distribution. It has millions of users but only very few actually contribute to the project,” he told the Guardian.

And that brings us back to the question of whether open-source software is always best compared to company-funded-and-supported commercial (paid) software. It’s good to debate the issue, but given the traction that Linux, Apache and perhaps OpenStack have gotten, this horse may have left the barn. And remember, commercial software companies haven’t exactly covered themselves in glory with regards to security. Most notably, security giant RSA reportedly shipped encryption software with a known backdoor.

  1. Security is just the science of convincing an opportunistic threat actor that you are harder to crack than your neighbor. The underpinnings of security through obscurity (RSA/NSA or Apple GoToFail) or opensource (OpenSSL) are both susceptible to human error. The benefit of security through obscurity is that there are less eyes on the code, and the benefit of opensource security is that there are more eyes on the code. :)

    Share
    1. sort of my view too Tal. but given the sheer size of code now — zillions of lines — i sort of wonder if catching flaws is even possible….

      Share
      1. Sure it’s possible, it just takes a couple of years.

        Share
        1. TeaPartyCitizen Sunday, April 13, 2014

          I like the fact that you can see the structural elements of a roller coaster. I would be scared to ride one if they covered up what was underneath. If there is something faulty about it at least it is in the sun light and not covered up. The same with code. How is hiding the code going to help us rid it of flaws. How would covering up a roller coaster help make it more secure?

          Share
      2. Christopher Stith Friday, April 11, 2014

        Someone other than the original developer found this. Since it was found it’s had lots of eyes on it. Further, people have been looking into other parts of OpenSSL quite a bit more. Some people were actually complaining about this well before the bug was found and patched.

        Another bug was introduced a few years ago when Debian tried to clean up the memory leaks and similar anomalies.

        http://www.tedunangst.com/flak/post/analysis-of-openssl-freelist-reuse
        https://rachelbythebay.com/w/2012/12/14/quiet/
        https://groups.google.com/forum/#!topic/mailing.openssl.dev/n-qPoEYjock
        https://freedom-to-tinker.com/blog/kroll/software-transparency-debian-openssl-bug/

        Share
    2. TeaPartyCitizen Sunday, April 13, 2014

      That is not the definition of security. Security is the state of being free from danger or threat. The hole has been patched. Openssl being under funded is the problem. Companies like Google, IBM, Microsoft, Yahoo, etc are just a few companies that use Openssl and yet they don’t fund it. That is the problem. Individuals should have a free ride with Open Source but companies with billions of dollars should contribute to projects whom’s software they use.

      Share
  2. thatbrentguy Friday, April 11, 2014

    Perhaps someone can describe how a closed-source solution would have fared in the same case, whereby a programmer inadvertently inserts a bug, it passes review, and is released in a stable product.

    Would the company assign resources to ongoing review of the code for security bugs, years after its release?

    Would those resources be selected from the original developers or different people than the programmer/reviewer who missed it in the first place?

    If the company were to discover the flaw and release a patch, would any of their customers ever know that they had been vulnerable? Would the company risk torpedoing its market share by calling for global certificate renewal?

    In the case of OpenSSL, I believe we are all far better off for having had the problem uncovered publicly and knowing the full scale of the implications than if there had been a similar issue in a closed box, whose bug and implications might have remained hidden from everyone but those who wanted it to remain unknown.

    Share
    1. agreed — it’s been painful but at least the issue is out there

      Share
    2. I think you missed the point a bit. The claim is that open source software is safer than commercial software. The point is that this bug demonstrates that the claim cannot be fully true. The details show that open source software suffers from the same human frailties as commercial software. And, having worked on operating system software for many vendors and more years than I would like to admit, the answer is “yes” to your questions.

      Share
      1. I think you’re missing the point. All software has bugs, as you concede above. This bug was only found because an outside developer was looking at the code, something that wouldn’t have happened if this was proprietary software.

        Share
      2. TeaPartyCitizen Sunday, April 13, 2014

        You’re missing the point! SSL is an algorithm, a blueprint, if you will. Developers are like construction workers building what is on the blueprint. If a dumb ass carpenter forgets a nail does not mean hide the blueprint.

        Share
  3. Do we have to worry about email SSL? (ports 465, 587 and 993) for Heartbleed problems?

    Share
    1. Christopher Stith Friday, April 11, 2014

      That depends. Are your mail servers using OpenSSL with TLS heartbeat enabled in the build? If you don’t know then ask your provider or sysadmin. If the responsible party doesn’t know then you have a bigger problem.

      Share
  4. Srikanth Remani Friday, April 11, 2014

    Most of the open-source software would be well funded if 1% of the users contributed something I mean just a dollar, this is a serious issue – corporations using Open Source software are better served if they made decent donations for those projects both monetary and/or human, without it we rely on enthusiasts and enthusiasm has a habit of waning over time.

    Share
    1. @srikanth this was what the german programmer was getting at i think. Companies — and users — glom onto open source but don’t pay the freight….

      Share
  5. Excellent points raised. Software has bugs. So does open source software. It’s not fundamentally more secure, but it’s fundamentally easier to become more secure. That does not make it risky to use open source, but risky to assume a false sense of quality. As we leverage the work that others share, we are motivated to give back with automated test results, code bug fixes, and funding to those projects that we rely upon. This is a painful lesson given the challenges this week with this bug, but the call to action is one worth sharing. Thanks,

    Share
  6. Only someone who cannot READ or UNDERSTAND code will write an article like this or raise a question like this. Because this was opensource everyone could see exactly what the problem was and could make an educated guess on what the problem was. Try that with closed source product.

    Share
  7. My Debian-based system just got an update with the fix for this. You can’t beat that with any other OS. You’ve probably seen the XKCD explanation by now (http://xkcd.com/1354/). This provided a memory dump. An attacker would have to plow thru a lot of junk to find passwords or CC#’s in that.

    Share
  8. I’m confused, all of my android devices are vulnerable, but heartbeat is not enabled on any. Is this a 2 way handshake? If the device side is not enabled does it obviate the server side. I’m just a simpleton trying to wrap my head around this issue.

    Share
    1. TeaPartyCitizen Sunday, April 13, 2014

      It occurs when a bad guy targets your device or then your device connects to a bad guys site but I think that Android avoids this problem except 4.1.1 in a limited way.

      Share
  9. Seriously? Sad day to see this on GigaOM. I believe you need to start reading, from the day Yuri Gagarin hopped into space to how we got here, and maybe then, in the middle of that reading you will realize how inapplicable this question is. Very moot post.

    Share
  10. Thank heavens that openssl *is* open! Had it been closed source, it would not have been available for for audit and such an error might not have been found.

    Share

Comments have been disabled for this post