The recent disclosure of the so called heartbleed bug (CVE-2014-0160) left many organizations who should know better red faced as they demonstrate their ineptitude at rapidly patching their machines.
For those who have yet to hear the news, the so called heartbleed bug is a vulnerability in OpenSSL that can potentially cause a leak of key material. This is obviously very bad mojo and the issue is compounded by the fact that OpenSSL is the most popular implementation used for https on the web.
Astute readers of this blog will know I have an issue with OpenSSL, whose author allegedly coded to learn bignum arithmetic. Of course that’s entirely irrelevant and potentially untrue. My real issue with OpenSSL mirrors that of Sun/Oracle’s Java – unnecessary complexity, terse code often with equally indecipherable comments and a huge history of vulnerabilities to boot. I could go on forever but when there are so many other libraries to use as an alternative then I can’t understand why anyone would bother with it. PolarSSL for example is just a mere fraction of the size of OpenSSL and performs admirably. Mozilla’s TLS implementation exists and is reasonable as is GNUTLS.
I could go on, but I have touched on all of this before. If you are unlucky enough to be affected, go ahead and grab the latest tarball of OpenSSL (1.0.1g) which has the issue patched.
The OpenSSL advisory notes that:
“Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley … and Bodo Moeller … for
preparing the fix.” (Redacted email addresses to reduce UCE to those above)
It is excellent that they are correctly attributing those who worked hard to find the bug, and I commend them for their responsible disclosure.