Jump to content


Interview: Post-Heartbleed, is it time to consider an alternative to OpenSSL?

  • Please log in to reply
No replies to this topic

OFFLINE   sincity


    Advanced Member

  • Members
  • PipPipPipPip
  • 2980 posts
Getting Better
Interview: Post-Heartbleed, is it time to consider an alternative to OpenSSL?

The Heartbleed Bug (and it's definitely a bug - not a virus) has ignited a debate around the security and reliability of open source software in recent months.

Discovered by researchers at Google and Codenomicon, the vulnerability was found in the open source OpenSSL cryptographic software library that provides Secure Sockets Layer (SSL) and Transport Layer Security (TSL) protection for anything from emails and web browsing to internet banking.

The programming mistake that led to Heartbleed - which was accidentally introduced by German programmer Dr. Robin Seggelmann, a frequent contributor of OpenSSL code - allows attackers to download 64k chunks of data stored in the supposedly secure main memory of servers.

It was an honest mistake, but one with far-reaching consequences. According to Errata Security, around 320,000 of 600,000 detected vulnerable servers are still vulnerable to Heartbleed. Post-Heartbleed, every private key on servers running OpenSSL are now suspect and could be potentially used by attackers to impersonate secure websites so long as those servers remain unpatched.

Is it time to switch from OpenSSL to a commercial solution (or another alternative) when it comes to web security? We spoke to industry experts at Infosec 2014 to find out more.

Keep open source - it still has lots to offer...

James Sherlow, SE Manager WEUR at Palo Alto Networks, thinks that ditching OpenSSL in the wake of Heartbleed would be something of a knee-jerk reaction:

"OpenSSL is still highly relevant and has scalability. It has a community of highly skilled developers, which is extremely valuable and still valid. Every software at a certain point in time will have some sort of vulnerability associated with it, but it doesn't mean we switch it off; it means we learn from our lessons."

…but Heartbleed was a wake up call

"I think that the open source community needs to start putting mechanisms in different areas that could cross-check others. That's better than finger pointing and blame which doesn't get anyone anywhere. It would mitigate the risk, reduce the chance of attack and raise the bar. To get to zero errors is difficult, but let's aim for it. That's the bar."

You couldn't just scrap it anyway...

The question of whether we should get rid of OpenSSL isn't so black-and-white, according to JD Sherry, VP of Technology & Solutions for Trend Micro. He believes that instead of turning down the services of dedicated and talented open source contributors, rewards should be offered to others who seek out errors in their work:

"Open source is always going to be an innate part of what we do, primarily because there's lots of great engineering involved with it - a lot of people pour their passion into these projects and a lot of excellent work comes out of them."

…so let's introduce more Bug Bounties

"Companies like Google, Microsoft and Facebook have got together to dump $100,000 each to get to the heart of Heartbleed, which isn't enough to stop a potentially similar scenario. Bug bounties, on the other hand, are supposed to self-regulate on the bug issue, and they can be extremely important.

"The cost of implementing and paying out for them can be well worth the outcome that comes with a major flaw in your software that was missed during the quality control process. Whether open source or not, they're going to be critical in making sure we don't have a tremendous amount of Heartbleed or other OpenSSL cases."

OpenSSL was broken from the start...

Not everybody has been so understanding when it comes to OpenSSL. That includes FreeBSD and security developer Poul-Henning Kamp, who has called for the end of it in a blog post called Open SSL must die, for it will never get any better:

"And that brings me back to OpenSSL — which sucks. The code is a mess, the documentation is misleading, and the defaults are deceptive. Plus it is 300,000 lines of code that suffer from just about every software engineering ailment you can imagine."

" ... it's nobody's fault. No one was ever truly in charge of OpenSSL, it just sort of became the default landfill for prototypes of cryptographic inventions, and since it had everything cryptographic under the sun (somewhere, if you could find out how to use it), it also became the default source of cryptographic functionality."

...and nobody's ever going to get fired for making mistakes

"I'm sure more than one person has thought 'Nobody ever got fired for using OpenSSL'. And that is why everybody is panicking on the Internet as I write this. This bug was pretty bad, even as bugs in OpenSSL go, but my co-columnist at ACM Queue, Kode Vicious, managed to find a silver lining.

"Because they used a 'short' integer, only 64 kilobytes worth of secrets are exposed. And that is not the first nor will it be the last serious bug in OpenSSL, and, therefore, OpenSSL must die, for it will never get any better.

"We need a well-designed API, as simple as possible to make it hard for people to use it incorrectly. And we need multiple independent quality implementations of that API, so that if one turns out to be crap, people can switch to a better one in a matter of hours."

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users