Saturday, 7 June 2014
Why OpenSSL Being Patched Again Is Good News
There is a new version of OpenSSL, and, yes, it turns out previous versions of the security package had some serious vulnerabilities. However, these flaws being found is a good thing; we aren't looking at a disaster of Heartbleed proportions.
At first glance, the OpenSSL advisory listing all seven vulnerabilities that have been fixed in OpenSSL appears to be a scary list. One of the flaws, if exploited, could allow an attacker to see and modify traffic between an OpenSSL client and OpenSSL server in a man-in-the-middle attack. The issue is present on all client versions of OpenSSL and server 1.0.1 or 1.0.2-beta1. For the attack to succeed—and it's fairly complicated to begin with—vulnerable versions of both the client and server need to be present.
Even though the extent of the issue is very limited, perhaps you are concerned about continuing to use software with OpenSSL included. First, Heartbleed. Now, man-in-the-middle attacks. Focusing on the fact that OpenSSL has bugs (what software doesn't?) misses a very critical point: They are being patched.
More Eyes, More Security
The fact that developers are disclosing these bugs—and fixing them—is reassuring, because it means we have more eyeballs on the OpenSSL source code. More people are scrutinizing each line for potential vulnerabilities. After the disclosure of the Heartbleed bug earlier this year, many people were surprised to discover the project did not have a lot of funding or many dedicated developers despite its widespread use.
"It [OpenSSL] deserves the attention from the security community it is receiving now," said Wim Remes, managing consultant for IOActive.
A consortium of tech giants, including Microsoft, Adobe, Amazon, Dell, Google, IBM, Intel, and Cisco, banded together with the Linux Foundation to form the Core Infrastructure Initiative (CII). CII funds open source projects to add full-time developers, conduct security audits, and improve testing infrastructure. OpenSSL was the first project funded under CII; Network Time Protocol and OpenSSH are also being supported.
"The community has risen to the challenge to ensure that OpenSSL becomes a better product and that issues are found and fixed quickly," said Steve Pate, chief architect at HyTrust.
Should You Worry?
If you are a system administrator, you must update OpenSSL. More bugs will be found and fixed, so administrators must keep an eye out for patches to keep the software up to date.
For most consumers, there is not a lot to worry about. In order to exploit the bug, OpenSSL needs to be present at both ends of the communication, and that typically doesn't happen in Web browsing, said Ivan Ristic, director of engineering at Qualys. Desktop browsers do not rely on OpenSSL, and, even though the stock Web browser on Android devices and Chrome for Android both use OpenSSL. "The conditions necessary for exploitation are quite a bit harder to find," Ristic said. The fact that exploitation requires man-in-the-middle positioning is "limiting," he said.
OpenSSL is often used in command line utilities and for programmatic access, so users need to update right away. And any software application they use that utilizes OpenSSL should be updated as soon as new versions become available.
Update the software and "prepare for frequent updates in OpenSSL's future as these are not the last bugs that will be found in this software package," warned Wolfgang Kandek, CTO of Qualys.