The Under-Funded Project Keeping the Web Secure

4

A security flaw affecting two thirds of websites is a reminder that the Web relies on a poorly resourced open source project.

Late yesterday we learned that a two thirds of the world’s websites have a major security vulnerability that could be used to crack encrypted connections and steal user passwords or a company’s encryption keys. The news set system administrators for the estimated 117,000 servers affected (including at major companies like Yahoo) scrambling to roll out a fix. It is also leading some people to ponder why the widely-used software in which the critical bug was found doesn’t get better support.

The Heartbleed bug, as it is known, is a small flaw in a version of an open source package calledOpenSSL. It’s used by Web servers to offer encrypted “TLS” connections that appear to users as a padlock and “HTTPS” prefix in a browser’s address bar and are used to protect online banking and other private communications.

There are alternatives to OpenSSL but it is by far the most widely used software for the job. Most websites use it to protect their data and that of their users. Yet the OpenSSL project is mostly run by volunteers. It relies on donations and unlike some other open source project has no corporate sponsors.

It’s impossible to say if more funding would have prevented the Heartbleed bug. But some security experts see the incident as a reminder that what is essentially a critical part of the Web’s infrastructure seems to lack appropriate support from those who rely on it.

Written By: Tom Simonite
continue to source article at technologyreview.com

4 COMMENTS

  1. There are alternatives to OpenSSL but it is by far the most widely used software for the job. Most websites use it to protect their data and that of their users. Yet the OpenSSL project is mostly run by volunteers. It relies on donations and unlike some other open source project has no corporate sponsors.

    Perhaps the owners of the websites, should be donating to these commendable open-source systems, which break the money-making monopolies of big business.

    • In reply to #1 by Alan4discussion:

      Perhaps the owners of the websites, should be donating to these commendable open-source systems, which break the money-making monopolies of big business.

      Most of them do donate and most of them also donate in other ways besides money. The better tech companies will do things like pay for participation in open source conferences, allow people to work on open source during lulls in for profit development, support participation in standards groups, etc.

      But I agree there should be a lot more funding for this and some of it should come from the government. It’s amazing we can spend trillions to fight terrorism but not invest a few million to make sure this kind of infrastructure is secure. I think it’s interesting to imagine what the reaction would be if this bug were the result of some Al Queda hacker developing a program that could penetrate secure SSL and then released it to the world.

  2. An interesting technical note is that it might be theoretically possible to prevent these kinds of bugs. Formal methods is a technique used to design software using mathematical logic. You describe the software as a set of logical axioms and then you use transformations to transform the logical specification into efficient code. You can prove that the code has the properties defined in the logical specification. Creating software that way is much more difficult and time consuming than the normal process. It’s so much more difficult that it’s just not cost effective for most kinds of problems. Only the kinds of problems where even a single error can be life threatening or result in catastrophic economic costs can justify it but security software is one area where it is used, the NSA usually had people at the formal methods conferences when I went to them. Whether this specific problem would be amenable to a formal methods solution I’m not sure, one issue is that it’s not easy or some times even possible to express all the requirements (e.g. things like response time) as a logical specification. But my guess is it could be done if there was the proper funding.

  3. This is kind of an old article but just wanted to share some thoughts about the Heartbleed bug. Also, I’m not a networking expert, I want to post my thoughts in case there is someone reading who has deep knowledge about SSL and may want to correct what I currently know.

    My main thought is that IMO people shouldn’t rush out to change all their passwords. The SSL software, at least as far as I know, is a very ubiquitous piece of software. It may run not just on servers but routers and other boxes as well. Actually, that is one thing I’m not certain of, is the bug limited to SSL at the host sites only or is it possible that SSL softrware at the ISPs we go through could also be a security risk? I don’t know the answer to that, I think the way SSL works it’s a direct connection from the server to the client so it doesn’t run on the ISP equipment but I’m not sure about that.

    But either way the most important issue is if you go to change your password and the patch for the SSL bug hasn’t bewn completely adopted at the site(s) you have to go through you may end up doing the very thing you are trying to prevent. I.e., you may be changing your password and giving some hacker access to the new password. It’s why I’ve been just holding off any online purchases or banking for the time being. I plan to change my passwords some time next week after I get responses from the most important sites I use.

    Here is a CNET FAQ about the Heartbleed bug

    Note that they raise the same issue:

    Should I change my passwords? For many Web sites, yes. BUT wait until you get confirmation from the Web site operator that the bug has been patched. It’s a natural reaction to want to change all of your passwords immediately, but if the Web site’s bug has not been fixed yet, making the change could be useless — you’re just potentially giving an attacker your new password.

    Also, they have some info on how to check a site to see if it has been patched. Here is the text that describes that, go to the link above to actually find the text with active links you can follow:

    CNET is keeping a running list on the status of the top 100 Web sites, according to Alexa.com. Check back here for updates. Here’s a list of sites that were still vulnerable as of Thursday afternoon, according to researchers at Zmap.

Leave a Reply