back home

Why longstanding Open Source projects might not be so secure as thought

Many of you probably already heard about Heardbleed bug in OpenSSL that made all SSL useless for like two years and which was until recently discovered.

Basically because of the bug you were not only able to actually steal the private key (so having this key you can decode any communication between the client and the server that was done in the past two years) but also to steal other stuff residing in the memory of the whole server (passwords or any other secrets).

What’s more interesting is that an attack would not be detectable at all. No traces, no signs. The dream come true for anyone wanting to get you.

It was all caused by a tiny bug in OpenSSL library which is the most popular security related library used on Linux, *BSD and Mac.

It leads to couple of interesting observations - first I think it was the biggest trojan horse ever. You would never expect your “security” library to be actually malicious :-)

Being an open source with a long history OpenSSL was widely adopted as a security foundation in many operating systems - Linux, BSD flavors and even Mac. So by breaking it you actually broke all of them. That’s huge!

Only Microsoft and Mac (partially for apps that don’t use OpenSSL) were not compromised because they have their own implementation of SSL library.

Thinking about recent NSA scandal it makes me think - who was involved and whether this issue was “random” or “engineered”?

It also makes me wonder if you are running an open source project (especially so widely spread) you need to be aware that you might be under an attack.

Someone may want to put a bad code into your app.