back to article Awoogah – brown alert: OpenSSL preps 'high severity' security fixes

Developers behind the widely used OpenSSL encryption library have warned that they will issue fixes for a mix of bugs next Tuesday (1 March). The patches will land right in the middle of the RSA Conference, infosec marketing's version of the Superbowl. It's understood the bugs are significant (as in, patch as soon as you can …

  1. GrumpenKraut Silver badge

    Could we fucking kill it already?

    And rewrite from scratch. It cannot possibly become worse.

    1. Anonymous Coward
      Anonymous Coward

      Re: Could we fucking kill it already?

      And rewrite from scratch

      When are you starting then?

      1. GrumpenKraut Silver badge

        Re: Could we fucking kill it already?

        > When are you starting then?

        What's the logic here? If I complain about my browser then I have to either write a browser or shut up?

        1. Sam Liddicott

          Re: Could we fucking kill it already?

          or buy yourself an SLA

    2. sysconfig

      Re: Could we fucking kill it already?

      It's already happening: LibreSSL.Available in OpenBSD, where it comes from, and elsewhere

      1. asdf Silver badge

        Re: Could we fucking kill it already?

        LibreSSL is still forced to use OpenSSL broken ass api for compatibility reasons. At least there is nss (among many others) and I do believe the LibreSSL folks did also release a library with a sane ssl api. Which is good for new apps but sadly the trojan like OpenSSL is in enough products you will more than likely at least be downstream patching for years to come.

      2. Michael Wojcik Silver badge

        Re: Could we fucking kill it already?

        It's already happening: LibreSSL.

        LibreSSL was not "written from scratch". And it has problems of its own, including bugs (e.g. CVE-2015-5333), lack of FIPS 140 validation (which makes it useless for businesses that have to sell to the US Federal government), somewhat complicated licensing, and source code that suffers from the disease known as KNF.

        OpenSSL remains by far the most complete open-source SSL/TLS implementation available. Many people can get by with an alternative; others cannot. These calls to "just replace OpenSSL" are ignorant grandstanding.

        1. Roo
          Windows

          Re: Could we fucking kill it already?

          "lack of FIPS 140 validation"

          The NIST website shows that the vast majority of OpenSSL installations in the wild are not validated either, the validation applies to a very small set of hardware + software configurations. Judging by the short list of valid configurations it looks like vendors paid NIST to validate specific configurations - is there something stopping Vendors from submitting LibreSSL for validation ?

    3. Anonymous Coward
      Anonymous Coward

      Re: Could we fucking kill it already?

      It's not the only library available. The problem is all those lazy developers who used it blindly because it was free. Of course never, ever, looking at the code...

    4. Gerhard Mack

      Re: Could we fucking kill it already?

      They did, GNUTLS and almost no one supports it despite the API being a lot more sane.

    5. Anonymous Coward
      Joke

      Re: Could we fucking kill it already?

      Don't worry. Soon, systemd-tls will fix it.

    6. TheVogon Silver badge

      Re: Could we fucking kill it already?

      Remind me how Open Source is more secure again, because lots of people can review the code ?!

  2. J J Carter Silver badge
    Paris Hilton

    Oops!

    Many eyes, all rubbish at spotting security vulnerabilities.

    Paris, as she always exposing cracks (also serials & warez)

    1. linicks

      Re: Oops!

      It has been spotted. Now prove that proprietary software (aka MS et al) hasn't got real dodgy bugs that nobody can find because all are BLIND

      1. Tomato42 Silver badge
        Boffin

        Re: Oops!

        *cough*CVE-2014-6321*cough*

        all software is buggy, because OpenSSL is used by huge amounts of servers and is at the centre of many security systems, it is in the spotlight of all the researchers - for good reason, as it also in the spotlight of the crooks

        1. asdf Silver badge

          Re: Oops!

          >>Many eyes, all rubbish at spotting security vulnerabilities.

          >.. is used by huge amounts of servers and is at the centre of many security systems, it is in the spotlight of all the researchers

          Finally answering the question can a big enough hairball spaghetti code base from hell (which OpenSSL is) be patched sufficiently even with the whole internet trying. Perhaps but you are going to be seeing critical/severe OpenSSL CVEs for years to come and the vast majority won't be in code written in the last few years or going forward.

      2. Anonymous Coward
        Anonymous Coward

        Re: Oops!

        Do you believe most of these bugs are found looking at the code? Vulnerability researches have a plethora of other methods to find vulnerable code, even in non open source one (but there are people outside Microsoft who have access to Windows code - just you need to be eligible for that). The only real drawback is you have to wait for a fix - you can't fix it yourself (if you're able to do it properly).

        And these bugs have been in OpenSSL for years and years, until Heartbleed opened the worms can...

    2. Dan 55 Silver badge
      FAIL

      Re: Oops!

      They did, and as a result they made LibreSSL.

    3. Roo
      Windows

      Re: Oops!

      "Many eyes, all rubbish at spotting security vulnerabilities."

      Vulnerabilities were spotted only for the OpenSSL maintainers to ignore/reject them and the patches.

      Now tell me, how long does it take for a multi-billion dollar company stop rendering fonts in ring 0 ?

      Keep in mind this company has over 30 years of experience writing OSes and attracts the very best talent (according to the folks who work there), they were advised not to do this, and their font rendering code has yielded multiple drive-by priv escalation exploits.

    4. Captain DaFt

      Re: Oops!

      "Many eyes, all rubbish at spotting security vulnerabilities."

      Actually, as shown here, it works quite well, when someone does look.

      Probably one of the happier fallouts of the whole NSA/Snowden affair, instead of just passively assuming that someone's looking, more are actually getting into the code looking.

      (Now, what do you say about closed source software, where you can't look, and there's TLA pressure to put backdoors in?)

  3. regadpellagru

    Why bother about openssl anymore ?

    Really, why ?

    Long after kingdom has come and all cows have returned home, will there be terrible bugs in this, affecting any platform, due to a memory allocator compatible with Win16, MPE 6, VMS 2 and probably ENIAC as well.

    It needs to die, really, and be forgotten.

    1. asdf Silver badge

      Re: Why bother about openssl anymore ?

      >It needs to die, really, and be forgotten.

      Many of came to that conclusion. The big groan when heartbleed came out was everyone realizing what a POS OpenSSL was and now much it is wedged into the infrastructure of the web.

      1. Brewster's Angle Grinder Silver badge

        Re: Why bother about openssl anymore ?

        "...[h]ow much [OpenSSL] is wedged into the infrastructure of the web."

        Yeah, it's wedged like the keystone of an arch.

        1. Fred Flintstone Gold badge

          Re: Why bother about openssl anymore ?

          Yeah, it's wedged like the keystone of an arch.

          Yes, the quality is an utter pain, but if you remove it, the rest will come tumbling down with it.

          That's a brilliant analogy.

          1. Anonymous Coward
            Anonymous Coward

            Re: Why bother about openssl anymore ?

            Many sagas will be sung about the Epic of OpenSSL when its body has been dumped on a boat cast adrift and its soul has finally gone to the castle of Aargh.

        2. Anonymous Coward
          Anonymous Coward

          Re: Why bother about openssl anymore ?

          Yeah, it's wedged like the keystone of an arch.

          ...holding up the bridge to HTTPS Everywhere SPDY HTTP/2.

          Just another existential risk waiting to bring down the internet web.

    2. Crazy Operations Guy Silver badge

      Re: Why bother about openssl anymore ?

      "due to a memory allocator compatible with Win16, MPE 6, VMS 2 and probably ENIAC as well."

      The motivation for OpenSSL was to stop programmers form trying to roll their own crypto, then they go and write their own memory allocator. Seems like they really need a big ol' dose of self awareness...

  4. FatGerman

    Pisses me off...

    ... all these tards coming here moaning about how shit it is when it was written by a bunch of guys in their spare time as a hobby thing. It's not their fault the entire web decided to use it without checking they knew what they were doing.

    You think it's shit, you do better, in your spare time, for no pay. Go on, I fucking dare you.

    1. Crazy Operations Guy Silver badge

      Re: Pisses me off...

      The complaints are about how the OpenSSL developers kept shouting about how great their software was when in reality, it was full to brim with shitty, unmaintainable code.

      1. FatGerman

        Re: Pisses me off...

        Fair enough. Don't blow your own trumpet when you're surrounded by Miles Davis.... on the other hand don't rely on something written by people who were likely drunk when they wrote it to secure your website.

        Honestly.. people rely on this for security and nobody checked the code until now? It's written by people IN THEIR SPARE TIME for fuck's sake. Oh yeah, I just bought this amazing sports car. The guys who designed it did it in a shed in whitstable.. it hasn't actually got an MOT yet but I'm hopeful....

        I write an open source application. My code is shit and I know it but nobody relies on it for security. What makes people think that open source is somehow good? Usually it's people like me who haven't a fucking clue what they're doing. We write stuff we want because we can't get paid for doing it.

        1. Stevie Silver badge

          Re: Pisses me off...

          Sorry, FG, the "what do you expect, it's free" argument doesn't do it fot me. Been on the sharp end of that too many times at the urging of those waving hands in air two months later.

        2. Allan George Dyer Silver badge

          Re: Pisses me off...

          @FatGerman - What makes you think the professionals are writing anything better? Sure, the sports car from the shed in whitstable doesn't have an MOT, but neither does the Ferrari because there aren't any MOTs.

          Writing security software is hard, like consistently getting a hole-in-one every time you hit a golf ball, in a hurricane, with a large army on the course trying to stop you.

      2. Michael Wojcik Silver badge

        Re: Pisses me off...

        how the OpenSSL developers kept shouting about how great their software was

        Citations, please. Prior to the massive cash infusion after Heartbleed, OpenSSL had one full-time developer: Steve Henson, who is not inclined to make public pronouncements, and generally restricted his comments on openssl-users and openssl-dev to technical matters.

        As I recall, Eric Young sometimes debated broader questions on the lists (I remember his weighing in on an exchange about whether OpenSSL needed a gather-write API to help apps avoid Nagle / Delayed ACK interaction), but I can't think of any occasions where he claimed the OpenSSL source code was "great".

    2. GrumpenKraut Silver badge

      Re: Pisses me off...

      By that logic, if I complain about (say) the sausage I bought at my local butcher, he can say "You think it's shit, you do better!" (I certainly cannot).

      Given the importance of SSL I do not find it unreasonable to ask for a new attempt. Have read the comments up to here, thanks for pointing at LibreSSL.

    3. Charlie Clark Silver badge
      Thumb Down

      Re: Pisses me off...

      ... all these tards coming here moaning about how shit it is when it was written by a bunch of guys in their spare time as a hobby thing.

      Be that as it may – yes, it was a dismal state of affairs – the project has now had money thrown at it and it still sucks. Version names like 0.9.8zg FFS

      Still poor design is poor design. LibreSSL wasn't forked for fun but after a thorough code review which determined that a new start of a less ambitious project would be better.

      1. Michael Wojcik Silver badge

        Re: Pisses me off...

        the project has now had money thrown at it and it still sucks.

        The post-Heartbleed OpenSSL releases have seen a wide range of less-severe issues corrected. The 1.1 branch has removed a ton of old code and greatly cleaned up the API, with extensive consultation with users (via openssl-users, and if you use OpenSSL and don't subscribe to that list, then you deserve what you get).

        "still sucks" is, of course, a meaningless subjective evaluation. By various objective metrics, OpenSSL has gotten much, much better over the past two years.

        Version names like 0.9.8zg FFS

        That is the stupidest objection I've ever seen to a software project. And 0.9.8 is no longer being maintained, so it's also irrelevant.

  5. gollux
    Mushroom

    Blown away.

    Internet Security is based on a house of cards, and one day, somebody's going to open the window...

  6. Walter Bishop Silver badge
    Linux

    Security defects in the age of ubiquitous connectivity

    How about borrowing the 'allele' from the biological sphere. As in you impliment multiple versions of the same functionality in differing languages and mix-and-match on the end system. That way a bug in one process on one particular machine won't lead to a potential global infestation.

    1. frank ly Silver badge

      Re: Security defects in the age of ubiquitous connectivity

      If we continue your analogy, this is like one version not only not functioning correctly, but producing poison that seeps into the rest of the body. With software security, the more you have running, the bigger the chance of a serious failure happening.

    2. Anonymous Coward
      Anonymous Coward

      Re: Security defects in the age of ubiquitous connectivity

      As in you impliment multiple versions of the same functionality in differing languages and mix-and-match on the end system. That way a bug in one process on one particular machine won't lead to a potential global infestation.

      Ironically, this was a key argument for us to stop using Windows everywhere (we call it the domino effect, and it was demonstrated during the I Love You virus attack). The only issue that we now have is that we have a backbone based on one type of tech because you better control one type of tech well than multiple types of tech halfway, but by using Open Standards it now doesn't matter what desktops we use. Thus, graphics people use Macs, most of operations and security use a mixture of OSX and Linux and the admin staff seems to be still most comfortable with Windows (that is W7, I think we may give them a W8.1 upgrade but that's as far as we dare to go because we really, really, really do not like W10, and neither do the lawyers who actually read the licenses we have to agree to).

    3. Allan George Dyer Silver badge

      Re: Security defects in the age of ubiquitous connectivity

      It might work... if you've got time for a few million generations of evolution, and you don't mind a high failure rate. Remember, every individual that doesn't survive to reproduce is a failure, and in some species each individual produces millions of eggs with, on average, one surviving.

  7. RIBrsiq
    Coat

    "Brown Alert"?

    Hint as to what colour pants to wear before reading the release notes, is that...?

    1. MyffyW Silver badge

      Hint as to what colour pants to wear...

      The big girl ones. Then on 1st March patch. Then relax with a chocolate bar. Panic over.

      Software has bugs. Well maintained software gets fixes for those bugs. Well maintained systems get patched.

    2. This post has been deleted by its author

  8. Charlie Clark Silver badge

    Will Libressl also be affected

    Be interesting to see if LibreSSL also releases a patch at the same time and, if so, what it contains: whether this is related to preserving the API or having a similar vulnerability.

  9. Alan J. Wylie

    Two recent CVEs mentioned in the git log

    CVE-2016-0799: Fix memory issues in BIO_*printf functions

    "These problems could enable attacks where large amounts of untrusted data is passed to the BIO_*printf functions"

    CVE-2016-0798: avoid memory leak in SRP

  10. mike acker

    Client must generate session key

    Bruce Schnieer notes "Complexity is the enemy of security" He's right, as usual.

    and HTTPS / SSL is a perfect example: the session key HAS to be generated by the CLIENT

    when the session starts you have only half of a PGP secure link: client has the public key for

    the server and the the sever holds the corresponding private key

    what this means is: the client can authenticate a message from the server -- but the server

    cannot authenticate the client except for the use of a user ID and password .

    for this reason the session must start with the server sending an signed copy of its letterhead

    to the client . the client can authenticate this -- using the X.509 certificate it thinks*

    belongs to the server it is attempting to connect

    if the letterhead authenticates then the CLIENT can generate a session key, encrypt it for the

    SERVER and send it. it cannot be done in reverse because the server does not have a public key

    for the client. end of story.

    simplicity is the answer.

    --

    * x.509 certificates are printed and broadcast like losing lotto tickets. we must develop a

    process wherein the CLIENT has a PGP key and is able to SIGN for TRUSTED x.509 certificates.

    this will require the development and deployment of a KEK device: you cannot use smart phones

    for this: you must use a single purpose device so that updates can be STRICTLY controlled .

  11. The bigger, blacker box.

    Old addage

    "You can either make something so simple that there are obviously no bugs, or so complex that there are no obvious bugs"

    OpenSSL falls into the later category, the biggest issue is that they don't deprecate, so SSLv2 code is still in there (this is where the most serious bugs are this time), what is changing is that the default installs are no longer including weak ciphers and old transport methods.

    Really old bugs (like Heartbleed) are likely to be found eventually, and this isn't the end of it - when people complain "all those eyes and these things are not found", they are wrong - they have been found, this is the point - they have just been found, the problem is this code is released, it's out there, running so it seems to be a problem.

    But closed source "appears" safer because a patch gets released and it silently fixes stuff where people don't have the source in front of them to go "Look, what an idiot... that's baaaaaaad code", do you think that every MS patch isn't patching *exactly* the same sort of mistakes, in fact it's only the reverse engineering crowd that are highlighting the overflows etc. (without the benefit of the source) and building exploits, the difference is, by then it's too late, it's patched.

    More code will be patched, more bugs found, and the bigger it gets, the more eyes will find issues, there *is* a case for security by obscurity (which MS do well), but not as a substitute for testing and going through the code - which of course MS do, when code crashes or acts unpredictably, that's those bugs manifesting, the difference is, Joe Smoe doesn't have the code in front of them to work out why, MS do, and their motivation is to fix it, not to exploit it - get OpenSSL to do something unpredictable or crash, you have the code and it's more fun to find an exploit.

    YMMV

    1. Roo
      Windows

      Re: Old addage

      "Joe Smoe doesn't have the code in front of them to work out why, MS do, and their motivation is to fix it, not to exploit it - get OpenSSL to do something unpredictable or crash, you have the code and it's more fun to find an exploit."

      At best the lack of source code deters skiddies looking for a quick hit. Folks who are skilled in the art of computing really don't need it, and modern disassemblers make life very easy for the folks who can be arsed to use them. It really isn't rocket science folks.

      Witholding source code from customers just makes it harder for them to help the vendor.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019