1. OCAU Merchandise is available! Check out our 20th Anniversary Mugs, Classic Logo Shirts and much more! Discussion in this thread.
    Dismiss Notice

Heartbleed SSL exploit [CVE-2014-0160]

Discussion in 'Business & Enterprise Computing' started by HeXa, Apr 9, 2014.

  1. Daemon

    Daemon Member

    Joined:
    Jun 27, 2001
    Messages:
    5,475
    Location:
    qld.au
    Your statement would be incorrect. You make the assumption that other people reviewing the code would be able to detect every bug. If all that's required is a code review to prevent software bugs, then surely a company the size of Microsoft would produce bug free software? They've got over 100,000 employees and have been working on some of the code bases for over 20 years, surely this means it'd be bug free according to your view?
    Quoting to simply highlight the significance.

    Again, any software written by humans is prone to error and bugs. This isn't a new concept. Updates and bugs in software should be planned for, anyone who doesn't treat software based platforms as an evolving system is in for a lot of hurt.
    Where are you getting the "at least 10 days" figure from?
     
  2. kogi

    kogi Member

    Joined:
    Jan 23, 2003
    Messages:
    5,129
    Location:
    2031
    Is there something like the Apache foundation which oversees openssl?

    Should there be? Would it have helped in this case?
     
  3. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    18,650
    Location:
    Brisbane
    OpenSSL themselves.
    Verge article on people who knew before it was passed to OpenSSL - http://www.theverge.com/2014/4/10/5601576/how-do-you-fix-two-thirds-of-the-web-in-secret - includes people like Cloudflare, Akamai, Facebook, majority of Google Services, etc...
     
    Last edited: Apr 11, 2014
  4. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,678
    I don't buy that argument.

    If I'm a security software vendor, and I'm packaging OpenSSL up to sell to customers, surely I have some duty of care to understand what OpenSSL does, and that It's not needlessly exposing my customers.
     
  5. millsy

    millsy Member

    Joined:
    Mar 31, 2007
    Messages:
    14,050
    Location:
    Brisbane
    April 1st to April 7th isn't 10 days...

    Also, speaking of widespread bugs, what about apples SSL bug?

    Open SSL 1.01 released - March 14, 2012
    IOS 6.0 released to manufacturing - September 19, 2012

    Open SSL Patched - April 7, 2014
    IOS 6.1.6 released - Feb 21, 2014

    Total days in the wild:
    Open SSL: 754
    Apple SSL bug: 520

    Considering how hard apple checks their code to protect against jailbreaking, and the fact it was visually obvious, they're obviously negligent right? :p

    Elvis constantly whinges about how the VFX machines they're buying come on old version of Linux that are exploitable, or if it's a SCADA system still vulnerable to MS08-067.

    So, should they? Sure. Are they? No. Is it just restricted to openSSL? No. Is it just restricted to FOSS software? No.

    Throw the argument at both sides of the fence mate, they're both just as guilty.
     
  6. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    18,650
    Location:
    Brisbane
    To be fair, there is probably < 10 people who actually get some of the most complex parts of cryptography.

    2 of them probably use a computer, ever.

    Oh, and FWIW - Google re-issued its Gmail cert on the 3rd of April.
     
  7. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,678
    I've said is that the argument that FOSS is inherently safer than proprietary because so many people can view the source and identify/fix bugs, holds absolutely no water.

    Thats not to comment on the other advantages/disadvantages of either side of the fence.
     
  8. Daemon

    Daemon Member

    Joined:
    Jun 27, 2001
    Messages:
    5,475
    Location:
    qld.au
    Maybe my maths isn't as good as yours, but the difference between April 01 and April 07 isn't "at least" 10 days to me. The two groups who discovered the bug were responsible in their disclosure, so the chances of it being exploited by hackers between April 01 and 07 would have been extremely minimal.

    So if you sell a Windows based system to your customers, have you thoroughly tested every single part of the functionality? Otherwise, aren't you "needlessly" exposing your customers?

    I guarantee you that people using OpenSSL understand how it works and understands a lot of the low level code. That doesn't mean that they're magically able to find every bug in the software.
     
    Last edited: Apr 11, 2014
  9. millsy

    millsy Member

    Joined:
    Mar 31, 2007
    Messages:
    14,050
    Location:
    Brisbane
    You're talking about probably the one big security issue FOSS software has had in a very long time.

    You asked elvis earlier, how can this incident not logically shake your opinion of FOSS.

    How can one serious issue, amongst all the vast swathe of open source software out there, change yours?

    Open CVE details, aside from some notable exceptions (Apache vs IIS springs to mind), you'll find generally that FOSS options have less bugs noted in there.

    As you said before though, you want someone to blame, you ain't gonna get that easily with FOSS software so clearly it's useless to you :)
     
  10. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    18,650
    Location:
    Brisbane
    And tbh - I've agreed with that view for over a decade.

    This concept that i can go read the source any time i want is great. I personally can only read basic code, even then - its like Rusty C. My sister - who uses Ubuntu - can't read code to save herself, she's nurse.

    Now people are saying "its open source, you can read it any time you want if you want to know its secure" - thats lovely, I don't have time to read it - or even the time to learn to read it.

    How big is the linux kernel? Some 15m lines or so - some of which will be dealing with some complex stuff.

    How old is some of the last written stuff in the kernel? probably since 1.0 or prior (so over 20 years). We have no real way of telling when it was last reviewed.

    So now we're left with some code - that's absolutely out of the question for most people to review - keeping in mind we're talking about a single project at this point, not every FOSS project in existence - that's publicly available.

    Nothing has said that the people who WANT to get you, are going to report their findings to anyone that wants to keep you safe. But you've given them a huge leap forward to do so.

    By being closed source - I have something of a vetted team of people with the code. If I'm Microsoft in this example, the only people i let look at the entirety of my code is probably pretty damned small.

    And hey the people who can, well they have jobs to do at work - and looking at the entirety of code - or even potentially juicy subsets that are prone to error and easy to exploit - probably isn't something i can just do all the time.

    Even if that group isn't small, and Jo Janitor at MS can look at it - he's still at least been vetted by HR, his boss, etc - all those employee controls to say he's a reputable person.

    TeamShady from our favourite TLA comes along, says "show us your code or get the fuck out of our country". Sure I let them, and its nasty that they have access - but this still isn't every Tom dick and harry who wants to exploit you, encrypt all your data and ransom the key back to you. The point is the code has still been seen from a limited amount of eyes.

    Yes you can find bugs in code without having the code. But its fuckloads easier to find it with the code. And you have no idea how many people or anything about the people who did - what their motives are, etc.
     
  11. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,678
    They accept the risk when the click past the EULA :).
    The acknoledge the Microsoft has done it's darndest to find the bugs, and that it will fix any that have been missed.

    How can you make that guarantee?
    How do you know they are even looking?

    If Ciscos specific TLS implementation had bugs in it... fine, bugs happen
    If Googles specific TLS implementation had bugs in it... also fine, bugs happen

    But just downloading a package, including it in your security devices and assuming its safe... Yes, that does push the trust relationship a bit far.

    Which is more likely ?
    Everyone who has used OpenSSL has looked at the code and understood the code, and everyone missed this

    or

    Everyone who has used OpenSSL has assumed the code is good, based on everyone else who is using OpenSSL
     
  12. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    18,650
    Location:
    Brisbane
    Were they? How do you know? Because they told you? The exact article i linked AFTERWARDS discusses how several major Internet players had a heads up beforehand. Yet other major Internet players didn't (such as Yahoo Mail).

    For a bug that has existed for almost 2 years? That hands nothing short of the crown jewels of SSL? And there is absolutely no trace of you trying to exploit this, as often as you want to try?

    You have Snowden saying that "NSA can break SSL at will..." - most people going "hurrrrr, the amount of CPU/GPU power to do that is more than the entire planet worth of CPU/GPU's....".

    Do you seriously believe that no-one knew about this, and that a significant amount of private keys are not stored by various people and organisations around the world by now?
     
  13. elvis

    elvis OCAU's most famous and arrogant know-it-all

    Joined:
    Jun 27, 2001
    Messages:
    46,809
    Location:
    Brisbane
    You've "proven" this with one example?

    You've never considered this to be the exception to the rule? Or are we basing this opinion on a sample size of one?

    Once again, we've seen similar bugs in the proprietary world. Microsoft had known RPC bugs in the wild granting root access to things for years before patching. If we're arguing a case history of security based on proprietary versus open source, the examples don't stack in favour of proprietary by pure numbers.

    Why do you think I had some sort of dogmatic faith in FOSS? People write code, and people fuck up CONSTANTLY. ALL code is flawed because it's written by people. Open source isn't some magical panacea, and anyone who thinks it is is delusional.

    With that said, it's still better than proprietary code. I argue that based on the number of instances of said fuckups over the last 10 years, acknowledging that both methods have fucked up, but one has done so fewer times.

    And why do you think I'm excusing this behavour? My acceptance that something bad happened doesn't mean I condone it. In fact, I think this should be used as a case study moving forwards of exactly how the fuckup occurred and why, and what can be done to prevent it.

    Open source is about much more than "many eyes". It's also about transparency. The entire open source community needs to step back and figure out a way to put more effort into preventing this sort of thing (which they're already doing).
     
    Last edited: Apr 11, 2014
  14. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    18,650
    Location:
    Brisbane
    Is it easier to find these bugs if i'm malicious and intelligent with or without source.
     
  15. elvis

    elvis OCAU's most famous and arrogant know-it-all

    Joined:
    Jun 27, 2001
    Messages:
    46,809
    Location:
    Brisbane
    Hiding the key under the welcome mat is "security through obscurity", and has proven many times over in practical environments to not be a valid method of protection.

    Your point is valid, however, but is part of a much bigger and more complex problem. Let us remember that Microsoft code has been stolen in the past, so locking up buggy code in a vault doesn't always solve the problem. Likewise, many companies and governments have copies of Microsoft code under NDA. You'd be a fool to think that hasn't made its way to underground circles.

    Once again, I don't believe open source as a model is perfect. I do believe it's better than proprietary for most (not all) things. History and objective numbers suggest that I'm right with respect to security, even with Heartbleed factored in.
     
    Last edited: Apr 11, 2014
  16. millsy

    millsy Member

    Joined:
    Mar 31, 2007
    Messages:
    14,050
    Location:
    Brisbane
    Strong paranoia ITT right now :thumbup:

    Pretty much, thanks for putting it that way I was struggling to find a way to say the same thing.

    If I come across as an apologist for this in any way, I'm not, just that most of the arguments being brought up in here are just inane.
     
  17. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    18,650
    Location:
    Brisbane
    Publicly, a version of the Windows 2000 Source has been leaked - old news - but from memory, it doesn't even build (yay! small victories).

    I'm not naive enough to think that there isn't more recent OS source code available on the black market for the right bidder. And I know for a fact that various Government TLA's (unsure about Companies - really not seeing anyone who's business is that valuable to MS that they would do so, but certainly wouldn't put it out of the realm of possibility) will have access to the code.

    But again - its about the vetting the people who have access, and there is absolutely ZERO vetting whatsoever with open source, there isn't even a log of who looked in the first place.

    I also don't view closed source as directly "security through obscurity". People can look - they just have to be the right people, with a good enough reason.

    Is the fact you don't show the world your bank account security through obscurity? No, its that you don't trust the whole world to know what your balance and transactions are.

    The security of your bank account is actually provided by user access control - your bank can look on a need to know basis, so can your wife if you pass her the login details. This is exactly the same way MS provides access to their source code.

    This is *completely* different to say "well I just run RDP on port 60000 rather than 3389" - which is security through obscurity. Scanning for a RDP service on any port is a trivial task. I challenge you to find the Source for Windows 8.1 with update on the net. I'll give you a year if you want.

    Its not obscured from vision. Its access controlled by Microsoft.

    Microsoft's historical problems with security are borne out of the fact that some of the code is sooo old, and written in a different time and philosophy. Microsoft was never writing multi-user operating systems from the start - they moved into that game. The Win 2k era of "any MS box on the web is vulnerable" changed things inside Microsoft, and I really think some of the old die hard "Microsoft is evil" types haven't really paid attention to this.

    Its not the same company it was - and the fact that Windows isn't open source isn't the reason why we still have major flaws. Human error - just like has happened here with Heartbleed - is.
     
    Last edited: Apr 11, 2014
  18. elvis

    elvis OCAU's most famous and arrogant know-it-all

    Joined:
    Jun 27, 2001
    Messages:
    46,809
    Location:
    Brisbane
    What has the ability to compile an entire OS head to toe got to do with it? I can tell you now there's code in Win8.1 that's still around from Win95. Regardless if the stolen code compiles cleanly, there's valid clues in there for people wanting to write exploits.

    Once again, you're arguing that hiding things is a valid way of securing software. Let us start writing a list of all of the buffer overflow bugs that have resulted in publicly abused Microsoft security flaws where people had zero access to the code.

    The "many eyes" argument is not perfect for two reasons:

    a) We don't know how many eyes there are viewing it for the powers of good, and if they're competent

    b) We don't know how many eyes there are viewing it for the powers of evil, and if they're competent

    But the easy counter-argument for OpenSSL right now is that GnuTLS exists, has been audited by their community, and doesn't have these problems. If my "faith in open source is rocked" by OpenSSL being stupid, it's restored by GnuTLS being not stupid. :)
     
  19. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    18,650
    Location:
    Brisbane
    I edited.

    Its not hidden at all.

    You're just not the right person with access to see it.

    The code isn't even obfuscated.
     
  20. Daemon

    Daemon Member

    Joined:
    Jun 27, 2001
    Messages:
    5,475
    Location:
    qld.au
    The article you've linked describes how they kept the vulnerability hidden until it was patched and released.

    As for the other companies knowing, you posted the timeline earlier where the OpenSSL team contacted vendors to prewarn them. This has been the only non-transparent part of the whole scenario and I can understand how this has confused some people. There's a fine line between letting a few key players know about a vulnerability (to allow them time to prepare) and telling everyone. The wider the community they share it with, the greater the chance of accidental release.

    Have a look at the changelog: https://www.openssl.org/news/changelog.html

    You have Apache, Red Hat, Google, IBM, Comodo, and no doubt many other key players who have all submitted both bug fixes and reported security problems. Many of these companies have also sponsored work for the OpenSSL team to complete. This is how open source works.

    Again, you're simply confusing the fact that one bug got through somehow meant that nobody checks it. This is clearly false.
     

Share This Page

Advertisement: