Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenSSL Security Vulnerability

Posted by michael on from the what-me-worry dept.

SiliconEntity writes "On the heels of multiple OpenSSH vulnerabilities, the OpenSSL project is now reporting a number of security vulnerabilities of its own. OpenSSL is a standard cryptographic library used in a wide variety of security applications. The new vulnerabilities range from denial-of-service attacks to stack corruption, which imply the possibility of running malicious code. New versions of the software are released today which address the vulnerabilities."

6 of 245 comments (clear)

  1. phew by Anonymous Coward · · Score: 5, Funny


    thank goodness i use windows

    1. Re:phew by Troll_Kamikaze · · Score: 5, Funny

      Hell, Microsoft is even kind enough to send the "Latest Internet Patch" right to my inbox. Sometimes 36 times a day, when necessary!!

      Now that's what I call service!

  2. Why is some software more secure than others? by cras · · Score: 5, Insightful

    I got annoyed at the slashdot comments last time there was security hole in OpenSSH and wrote this page (copy pasted below). I count OpenSSL as insecure software - we need a secure replacement. GNUTLS looks somewhat better, but I don't trust it too much either.

    Why is some software more secure than others?

    How do you measure software security?

    Here's my definition on what is secure software.

    Intro

    I get really tired of seeing these kinds of comments every time some widely used software has security holes:

    • No software is secure. The difference is how quickly they fix it.
    • It's good that they were found. Now we have less security holes.
    • Popular software gets more security audits which is why they seem to have more security holes.

    While they may be partially true, I think they're also very misleading and disparages the hard work that some secure software authors have done.

    Simplicity Is Security

    The difference between secure and insecure software is really the coding techniques being used by it's authors. Authors of secure software do everything they can to prevent accidental mistakes from ever happening. Authors of insecure software just fixes the accidental mistakes. There are very few secure software authors.

    Auditing insecure software doesn't make it secure. Sendmail is a good example of this. It's been audited countless times by competent people. The simplest mistakes were catched easily long time ago, but a few very difficult to find vulnerabilities were found only recently.

    How do secure software authors then avoid the kind of security holes that are difficult to find? By keeping the code simple. The code doesn't get secure by polluting it with tons of security checks. It gets secure by keeping the security checks in as few places as possible.

    Auditing secure software is easy. You can just quickly browse through most of the sources without having to stop and look at it carefully. Everything just looks clean, simple and correct. vsftpd is a good example of this.

    Sure, it's still possible that secure software has some security holes occationally. It just happens a lot less often (if ever) and usually the problems are less critical. For example none of the security holes in Postfix have lead to arbitrary code execution or being able to read other peoples mails. Denial of Service attacks are nothing compared to them.

    (some examples in the web page not included)

    1. Re:Why is some software more secure than others? by SiliconEntity · · Score: 5, Informative

      How do secure software authors then avoid the kind of security holes that are difficult to find? By keeping the code simple.

      You're way off base in this case. SSL requires the use of X.509 certificates, and it was in the cert parsing code that these new vulnerabilities were found. X.509 means ASN.1 formats, which have at least two different encoding rules, BER and DER that both must be supported; implicit versus explicit tags; several different ways of encoding packet lengths, and a host of other complexities. There's no way to write this kind of code and just keep it simple as you describe. Any implementation of SSL which is going to interoperate with other systems on the net is going to face these complexities.

      I've written certificate handling code so I know how complicated it is. Also worth reading is Peter Gutmann's somewhat dated but still insightful X.509 Style Guide which describes some of the horrors an X.509 implementation has to deal with.

      In this case the failures were mostly in the error handling, and any developer knows that this tends to be the hardest part of your program to get right. Not only are there a lot more ways things can fail than go right, but they can fail in many more places in your code and it is very difficult to make sure your program can recover gracefully from everywhere something might go wrong.

      Also, I'm not sure if it's public yet, but a lot of other implementations are affected by this besides OpenSSL. See the CERT advisory when it comes out and you will find some of the biggest names in the security business got burned by this. It's absurd to suppose that your cosmic insights are somehow being overlooked by companies that base their reputations on security.

    2. Re:Why is some software more secure than others? by pebs · · Score: 5, Insightful

      In short, I think the laissez faire attitude we all have, both from accepting bugs, and about coding them ourselves is a SIGNIFICANT part of the problem. We need to raise the expectations, and hold people/companies accountable when these standards are not met.

      Here lies the problem:

      1) Cheap
      2) Fast
      3) Secure

      Pick 2

      --
      #!/
  3. Re:Feeling kinda good about it by ebay+troll · · Score: 5, Funny

    excellent poster!!!!!!! responded in less than 5 minutes, pleasure to work with, quick response

    A+++++++++++!