April 2014 Archives

OpenSSL and the TLS HeartBleed

I have been fascinated with various news outlets and their coverage of the OpenSSL algorithm bug which effected a large number of servers on the Interwebs.  Actually, I chuckled when my wife shared what she had learned from her social media connections. She said without hesitation, they have found a Linux virus. It became apparent to me that mainstream media still spreads FUD regarding free software. For the record the issue had little to do with Linux. The only common thread is that OpenSSL runs on many POSIX compliant Unix-like systems. In fact, OpenSSL runs on most web and mail servers. Of course Linux is one such operating system.  The patch was available roughly 24-36hrs after the initial vulnerability was published. In fact, I patched my systems the next day after the published reports and I never gave it much thought afterwards.

OpenSSL 2014 ... Heartbleed bug What you need ...

Heartbleed bug What you need to know (April 11, 2014) (Photo credit: marsmet549)

It is also important to note that open source projects have a very different business model than its closed sourced counterparts, in fact transparency is a basic tenet of free or open source software. The GPL basically demands that source code is available to all for review, so it is not possible to suppress software vulnerabilities. Had this encryption software been owned by Apple or Microsoft, I am certain that the patch would not have been available as quickly; nor would the problem have been immediately understood by the white hats.  ESR explains this point rather lucidly. 

At the core of this the "heartbeat" function of TLS, which really is a powerful feature. The idea of keep-alive functionality with performing a renegotiation would be a boon and quite possibly a curse for a production environment. 


Monthly Archives

Pages

OpenID accepted here Learn more about OpenID
Powered by Movable Type 4.25

About this Archive

This page is an archive of entries from April 2014 listed from newest to oldest.

February 2014 is the previous archive.

May 2014 is the next archive.

Find recent content on the main index or look in the archives to find all content.