back to article Batten down the hatches! OpenSSL preps fix for high impact vuln

Sysadmins, brace yourselves: OpenSSL has announced upcoming security fixes will fix a “high” impact flaw. Every OpenSSL release since the infamous Heartbleed vulnerability1 of April 2014 has been met with nervous anticipation, and that applies as much to the upcoming 1.0.2h, 1.0.1t releases as others before it. The last major …

  1. NoneSuch
    Coat

    Another flaw which just goes to show how undermined these "secure" and "government approved" encryption packages are.

    Maddening.

    1. Tomato42 Silver badge
      Stop

      All software has bugs. Software that is highly scrutinized will turn up a lot of bugs.

      It would be far more worrying that if after Heartbleed we wouldn't be getting a semi-constant stream of security fixes for the library.

      1. asdf Silver badge

        >It would be far more worrying that if after Heartbleed we wouldn't be getting a semi-constant stream of security fixes for the library.

        Granted things are better today and its a bit dated but just going to leave this link for devs on why they should probably avoid OpenSSL if they can. - http://opensslrampage.org/page/48 . This spaghetti code base has been badly managed for a very long time.

        1. theblackhand

          As others have said, Heartbleed set the expectation that there would be a lot of changes to address SSL/TLS security in the coming years as some of the code found indicated very poor practices.

          Completely getting rid of SSLv2 and historical export defaults, slowly killing off SSLv3 while combing through TLS to make sure it was fit for purpose takes time, as does cleaning out issues within the trusted Certificate Authority model, getting people to upgrade their certificates to current standards to address encryption/hash protocols that were approaching the end of their working lives.

          However, if it is another DROWN-type vulnerability where disabling SSLv2/v3 is a workaround, I'll sleep easier...

    2. Chika
      FAIL

      Optional

      Another flaw which just goes to show how undermined these "secure" and "government approved" encryption packages are.

      All encryption is breakable. It's just a matter of time and resources. No matter how secure it is, no matter who approves it, somebody will be looking for ways to break it because the possible returns can be great.

      The only real hope you have is that bugs in an encryption system are found legitimately and fixed before they can be exploited. That seems to be what has happened here.

      I'll get your coat now.

  2. Anonymous Coward
    Anonymous Coward

    <Insert name here>

    It can't be that serious if it doesn't have a logo or even a catchy title. I'm going to relax and have a beer.

    Maybe when we know more about it El Reg could have a name that bug competition.

    1. Steven Burn

      Re: <Insert name here>

      OpenWoopsie?

    2. Solly
      Joke

      Re: <Insert name here>

      OpenSSLBug McOpenSSLBuggyface?

  3. Necronomnomnomicon

    Any news on whether this affects the BoringSSL and LibreSSL forks? They must be starting to get quite attractive.

    1. Anonymous Coward
      Anonymous Coward

      BoringSSL is Google's fork for internal use, not for general use.

      Last time I checked, LibreSSL was ready for use in BSD, but not production ready in Linux.

      1. Anonymous Coward
        Anonymous Coward

        BoringSSL is the SSL that Google deploy to all android phones via play services, so as not needing to wait for phone vendors to update core OS, delivering very rapid patch cycles for services that matter

        http://developer.android.com/training/articles/security-gms-provider.html

        #whatsnakeoilvendorsforgettomention

    2. Charlie Clark Silver badge

      I guess we won't know until there is a release. Just checked the LibreSSL site. Interesting in the release notes from January about which OpenSSL CVEs did not affect LibreSSL and OpenBSD Journal saying that DROWN didn't apply because SSL v2 support had been dropped. Unfortunately, the public mailing list doesn't seem to be mirrored anywhere.

      One defence seems to be a fairly aggressive dropping of older versions.

      1. Anonymous Coward
        Anonymous Coward

        It's easier to aggressively drop old versions when you've got a tiny, tiny market segment. OpenSSL being the default in so many place, doesn't have that comfort. Being the default that nobody cares to check is like that: even though they've strongly advised maintainers to disable SSLv2 for years, nobody listened.

        Those vulnerabilities have a silver lining, that now OpenSSL is able to do changes that would have pissed a lot of people in the past.

        1. Charlie Clark Silver badge

          Those vulnerabilities have a silver lining, that now OpenSSL is able to do changes that would have pissed a lot of people in the past.

          You can't have your cake and eat it – compatibility for insecure protocols and security which is what you seem to be arguing for.

          An aggressive versions policy is okay if it's properly communicated and for the right reasons.

    3. Dan 55 Silver badge

      The Wikipedia page for LibreSSL should be updated soon saying whether or not it's affected.

  4. Comments are attributed to your handle

    "OpenSS has announced..."

    Quick, someone inform the UN - the Nazi's are open-sourcing their paramilitary operations!

  5. Anonymous Coward
    IT Angle

    I looked at the code

    And the bug should be called "Captain Spank-Monkey Fumblin' Ephemeral" after my old Granpappy who died alone, apart from his monkey. Which he spanked to the end.

  6. Camilla Smythe Silver badge

    Maybe we should Open Source Government.

    I know fuck all about encryption but it would seem that when FOSS gets found with its pants down the hands go up and they, or others, sort it. ITMT 'Dave The Dim' relies on such software to keep his agenda secret. WhatsThat 'Dave The Dim'? Did WhatsApp have a Zero Day? That's a bit of a shame. Maybe your script kiddie masters at GCHQ will tell you about it after your have been pwnd.

    1. TeeCee Gold badge
      WTF?

      Re: Maybe we should Open Source Government.

      amanfromMars? Is that you?

      1. gerdesj Silver badge

        Re: Maybe we should Open Source Government.

        "amanfromMars? Is that you?"

        No: awomanfromvenus is foaming at the mouth today 8)

  7. anniemouse

    anything and everything beats microsoft windows

    OWNERSHIP MEANS EVERYTHING

    Public ownership of internet resources will prevent the privateers from robbing us of free speech.

    Public ownership of internet resources will allow generations hence to be guaranteed a platform to stand on.

    Privateers are thieves.

  8. Michael Wojcik Silver badge

    Oh, good, more bullshit from the Reg

    This is a good thing.

    Why? Care to make an actual argument, hopefully substantiated with some data, that "branded" bugs are detrimental to security? Or are you just being an ass?

    Branded bugs have been quite effective at motivating management and users who are not IT security experts to install fixes and upgrade systems. Heartbleed's publicity is the only reason why the OpenSSL Foundation got the funding to revive the project and fix all the bugs since.

    Writers really ought to understand rhetoric. And be able to think critically.

    1. Tomato42 Silver badge

      Re: Oh, good, more bullshit from the Reg

      It's because the fact of branding a vulnerability doesn't mean anything.

      There are severe vulnerabilities which are not branded and irrelevant vulnerabilities which are (Grinch attack as an example).

      By focusing on branding you simply focus on the wrong thing. You should focus on the security and vulnerability parts.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019