OpenSSL and the TLS HeartBleed

I have been fascinated with various news outlets and their coverage of the OpenSSL algorithm bug which effected a large number of servers on the Interwebs.  Actually, I chuckled when my wife shared what she had learned from her social media connections. She said without hesitation, they have found a Linux virus. It became apparent to me that mainstream media still spreads FUD regarding free software. For the record the issue had little to do with Linux. The only common thread is that OpenSSL runs on many POSIX compliant Unix-like systems. In fact, OpenSSL runs on most web and mail servers. Of course Linux is one such operating system.  The patch was available roughly 24-36hrs after the initial vulnerability was published. In fact, I patched my systems the next day after the published reports and I never gave it much thought afterwards.

OpenSSL 2014 ... Heartbleed bug What you need ...

Heartbleed bug What you need to know (April 11, 2014) (Photo credit: marsmet549)

It is also important to note that open source projects have a very different business model than its closed sourced counterparts, in fact transparency is a basic tenet of free or open source software. The GPL basically demands that source code is available to all for review, so it is not possible to suppress software vulnerabilities. Had this encryption software been owned by Apple or Microsoft, I am certain that the patch would not have been available as quickly; nor would the problem have been immediately understood by the white hats.  ESR explains this point rather lucidly. 

At the core of this the "heartbeat" function of TLS, which really is a powerful feature. The idea of keep-alive functionality with performing a renegotiation would be a boon and quite possibly a curse for a production environment. 


  • Authors abound
  • Value of a Legacy
  • Remembering the Stark
  • Dark Knight Rises
  • Monthly Archives

    Pages

    OpenID accepted here Learn more about OpenID
    Powered by Movable Type 4.25

    About this Entry

    This page contains a single entry by AG published on April 17, 2014 11:33 PM.

    Authors abound was the previous entry in this blog.

    Telephony Service Provider Musings is the next entry in this blog.

    Find recent content on the main index or look in the archives to find all content.