Heartbleed SSL Bug Leaves Many Large Corporations Red Faced

The recent disclosure of the so called  heartbleed bug (CVE-2014-0160) left many organizations who should know better red faced as they demonstrate their ineptitude at rapidly patching their machines.

For those who have yet to hear the news, the so called heartbleed bug is a vulnerability in OpenSSL that can potentially cause a leak of key material. This is obviously very bad mojo and the issue is compounded by the fact that OpenSSL is the most popular implementation used for https on the web.

Astute readers of this blog will know I have an issue with OpenSSL, whose author allegedly coded to learn bignum arithmetic. Of course that’s entirely irrelevant and potentially untrue. My real issue with OpenSSL mirrors that of Sun/Oracle’s Java – unnecessary complexity, terse code often with equally indecipherable comments and a huge history of vulnerabilities to boot. I could go on forever but when there are so many other libraries to use as an alternative then I can’t understand why anyone would bother with it. PolarSSL for example is just a mere fraction of the size of OpenSSL and performs admirably. Mozilla’s TLS implementation exists and is reasonable as is GNUTLS.

I could go on, but I have touched on all of this before. If you are unlucky enough to be affected, go ahead and grab the latest tarball of OpenSSL (1.0.1g) which has the issue patched.

The OpenSSL advisory notes that:

“Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley … and Bodo Moeller … for
preparing the fix.” (Redacted email addresses to reduce UCE to those above)

It is excellent that they are correctly attributing those who worked hard to find the bug, and I commend them for their responsible disclosure.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s