pages tagged security
hroy.eu
https://hroy.eu/tags/security/
hroy.eu
ikiwiki
2014-10-21T15:44:11Z
https://hroy.eu/notes/openssl-11/
<a href="http://creativecommons.org/publicdomain/zero/1.0/">CC0-1.0</a>
2014-10-21T15:44:11Z
2014-04-12T08:24:04Z
<p><a href="http://online.wsj.com/news/articles/SB10001424052702303873604579495362672447986">Wall Street Journal</a>: The encryption flaw that punctured
the heart of the Internet this week underscores a weakness in
Internet security: <a class="toggle" href="https://hroy.eu/tags/security/#notes-openssl-11.openssl11">A good chunk of
it is managed by four European coders and a former military
consultant in Maryland.</a></p>
<div class="toggleable" id="notes-openssl-11.openssl11"></div>
<p>To answer some of the astonished comments I made yesterday, the
lack of contributors to the project is baffling. So: the whole
Internet relied on 10 volunteers and 1 employee and nobody helped
them?</p>
<p>I guess this sort of comes back to one of the essential question
in Free Software: how do you get the users to fund it? For some
kind of software, this can be difficult; but in the case of
OpenSSL I would have thought this to be an easy thing, since so
many banks and web companies intensively rely on it. </p>
<p>But apparently, they didn’t care at all if this major piece of
security they were using was able to keep up with security
standards or not. Considering the number of people involved with
the project, I don't see how it can put enough scrutiny and
efforts to make sure it follows the best security review.</p>
<p>(Now, I have to wonder if the WSJ piece is actually correct in the
way it counts the contributors to the project, because it's fairly
possible that lots of companies making use of OpenSSL actually had
security experts and developers in-house test the code and send
patches and bug reports upstream; a bit like Google and that other
security firm did when they found out about Heartbleed…)</p>
<div class="toggleableend"></div>
<p>According to Brett Simmons, <a href="http://inessential.com/2014/04/11/does_that_pretty_much_wrap_it_up_for_c_">That pretty much wraps it up for
C</a>.</p>
<p>The whole heartbleed bugs also reminds me that OpenSSL is also an
example of bad idea when it comes to
<a href="https://people.gnome.org/~markmc/openssl-and-the-gpl.html">licensing</a>
<a href="https://lwn.net/Articles/428111/">issues</a>.</p>
https://hroy.eu/notes/openssl-tragedy/
<a href="http://creativecommons.org/publicdomain/zero/1.0/">CC0-1.0</a> except for the XKCD graphic
© XKCD <a href="http://creativecommons.org/licenses/by-nc/2.5/">CC-BY-NC-2.5</a>
2014-10-21T15:44:11Z
2014-04-11T08:34:03Z
<p>The <a href="http://heartbleed.com/">heartbleed</a> vulnerability is not only a catastrophic security
issue, <a class="toggle" href="https://hroy.eu/tags/security/#notes-openssl-tragedy.heartbleedtopics">it also spans other
interesting topics.</a></p>
<div class="toggleable" id="notes-openssl-tragedy.heartbleedtopics"></div>
<p>The first obvious lesson, is that the communication around the
vulnerability was <a href="http://www.kalzumeus.com/2014/04/09/what-heartbleed-can-teach-the-oss-community-about-marketing/">brilliant marketing</a>. </p>
<p>The other lesson, less satisfying, is why is the majority of the
internet relying on a very poorly funded project?!</p>
<p>The Washington Post published an <a href="http://www.washingtonpost.com/business/technology/heartbleed-bug-puts-the-chaotic-nature-of-the-internet-under-the-magnifying-glass/2014/04/09/00f7064c-c00b-11e3-bcec-b71ee10e9bc3_story.html">article that misses the real
issue</a>. The heartbleed debacle is not an issue with
the fact that <a href="https://blogs.fsfe.org/samtuke/?p=718">OpenSSL is Free Software</a> (the Apple goto
fail bug shows it’s even worse when it’s proprietary--all Apple
users had to wait several days before a patch was sent), nor with
the fact that the Internet have no single authority (if anything,
the openssl library is a single point of failure).</p>
<p>I find it astonishing that OpenSSL is so poorly funded and
apparently lacks a governance strategy that includes large
stakeholders such as the major websites making use of the library
and which, instead, are essentially all irresponsible free-riders.</p>
<p>The real issue here is one of responsibility.</p>
<div class="toggleableend"></div>
<p>XKCD has an <a class="toggle" href="https://hroy.eu/tags/security/#notes-openssl-tragedy.xkcd1354">amazingly simple
explanation of how the vulnerability works.</a></p>
<div class="toggleable" id="notes-openssl-tragedy.xkcd1354"></div>
<p><a href="http://xkcd.com/1354/"><img src="https://hroy.eu/notes/openssl-tragedy/heartbleed_explanation.png" width="640" height="1364" class="img" /></a></p>
<div class="toggleableend"></div>