The OpenSSL Foundation is urging companies to update their implementation of the open source toolkit to patch a vulnerability allowing man-in-the-middle attacks between insecure servers and clients. The bug allowing the attacks is present in all versions of OpenSSL, so even companies that updated their implementations after the Heartbleed bug was revealed will now have to update it again to stop another critical flaw from affecting both them and their users.
Nicholas Percoco, the vice president of strategic services at Rapid7, explains the problem in a statement emailed to Pando:
The newly disclosed Man-in-the-middle vulnerability in OpenSSL affects all client applications and devices that run OpenSSL when communicating to vulnerable servers of specific versions, but includes the most recent. This likely contains the majority of systems on the Internet, given that most rushed to upgrade OpenSSL after the Heartbleed disclosure in early April of this year. A Man-in-the-middle attack is dangerous because it can allow an attacker to intercept data that was presumed to be encrypted between a client (eg. an end user) and a server (eg. the online bank, etc.). This attack is also passive in nature and will may not be detected by a client, server or network based security controls.
But the good news, at least according to Google’s Adam Langley, is that people using major Web browsers like Internet Explorer, Safari, Firefox, and Google Chrome aren’t susceptible to the man-in-the-middle attacks made possible through this vulnerability. That’s a welcome change from the Heartbleed bug, which is known to affect many routers, some versions of the Android operating system, and other products that will leave consumers exposed until they are updated with new versions of the OpenSSL toolkit, which is seeming increasingly unlikely.
Percoco agrees with Langley’s assessment, but points out that there are “many (many) other software packages that utilize OpenSSL for their client-side of the SSL communication,” so consumers aren’t yet in the clear. This means that people are once again at the mercies of the companies and developers they trust to keep their information secure, as they don’t know what has been affected by this bug or how to fix the problem if they’re using vulnerable software.
Pando weighs in
The bug was caused by a coding error that its author described as “quite trivial” despite the effect it had on Internet security. The volunteers who checked his work failed to spot the bug, and so it was introduced into a security tool used by roughly two-thirds of the Internet. No-one else bothered to check for a vulnerability because — fittingly enough — many open source tools are considered more secure than their proprietary counterparts because anyone can edit them.
Consider it the digital version of the bystander effect, whereby an entire crowd will ignore a cry for help because everyone assumes that someone else will take care of the problem. The effect becomes more pronounced as the number of people witnessing the problem grows. This is like that, except it threatens the foundation of online security, and the crowd is so massive that it’s amazing that anyone even bothered to look for the Heartbleed bug in the first place.
On the irony of “digital security” in the wake of numerous data breaches, crippling bugs, and ransomed iPhones:
These reports continue months of security woes for Apple customers. First it was revealed that the company had failed to implement a security standard in its mobile operating system; then we learned that the issue affected its desktop operating system, too; and now Australians are being locked out of their own smartphones and asked to pay some unknown hacker for access.
And those are just the problems specific to Apple. There’s been the Heartbleed bug that crippled two-thirds of the Internet, multiple security breaches each affecting millions of consumers, and the constant knowledge that intelligence agencies around the world are spying on, well, everyone. If these problems have taught us anything, it’s that the term “digital security” is an oxymoron.
The Linux Foundation’s announcement shows that technology companies are starting to take this seriously. Besides the OpenSSL Foundation, which oversees the technology after which it’s named, funding has also been granted to the Open Crypto Audit Project, and will be allocated to other groups looking after the Network Time Protocol and OpenSSH. The group isn’t just patching a weak spot in OpenSSL’s infrastructure — it’s trying to secure other tools as well.
When I wrote about efforts to prevent the next Heartbleed from happening, I ended with a simple question: “We wouldn’t force the doctors charged with handling real heart attacks to operate on donations or in their spare time — why delegate the task of preserving the health of the Internet to people asked to work that way?” It seems that the Linux foundation agrees, and given its latest announcement, the future of the Internet now seems a little less bleak than before.
[Image courtesy Chris Halderman]