On Monday, a security specialist at Google discovered a bug in the OpenSSL software library. OpenSSL is used all over the Internet. For example, it is used by the Apache web server, which accounts for 50% of all web sites on the public Internet. The bug allows an attacker to potentially gain access to a lot of very, very sensitive information. SSL stands for secure sockets layer. It is a piece of software that sits between your programs and your network connection. It uses a system called public key encryption to scramble what is being sent out over the public Internet so it can't be read by anyone who doesn't have the right keys. The most obvious place you will see it is with its use in the secure HTTP protocol, or HTTPS. Go to Google. Look in the location bar on your browser. You will see something like this:
https://www.google.comThe https means that anything you send to Google, and anything Google sends back to you is encrypted. If some nefarious person (or the NSA, same thing, actually) hooks a device called a network sniffer up to the Internet, all they will see is a steady stream of gibberish. They can't see what porn you are looking for, and they can't steal your sister's secret chocolate chip cookie recipe that she sent you in gmail. You should always look for this, by the way, especially where your credit cards are concerned.
The OpenSSL bug can give up your usernames and passwords, your credit card information, and a lot of other even worse stuff (x.509 certificate keys and passphrases, long term server secret keys, EEK!).
The bug is the result of a bit of sloppy programming and a lack of rigorous testing. Both of those are the chinks in the amor of open source software. Open source software is different than proprietary software in that no one actually owns it. You don't have to pay anyone to use it. If you want to change it for your own use, you can. One of the important aspects of open source that has emerged is that of community testing and feedback. The people who use the software have a stake in making the software work right. They will fix bugs on their own or very quickly report them. If they are good open source citizens and they fix code on their own, they will donate the fixes back to the project. It has been demonstrated time and time again that the general quality of open source software is superior to that of proprietary software. Big companies code in secret, so they can hide big uglies for years and years. I shudder to think about what the Microsoft Windows code looks like. If the open source software you are working on is widely used, and the code you are writing is crap, you will hear about it very quickly.
Another important aspect of open source software is the speed that open source groups can respond to something like this bug. The OpenSSL group has already issued a patch to fix the problem. Red Hat has already issued a critical update. On the other hand, Oracle is not going to do anything about it until their regular update on April 15th. HP hasn't announced any intention to do anything about it. Oracle and HP are big companies. They're not built to turn on a dime when things like this happen. It could be argued that the big companies do more testing before releasing a fix, and that is true, as far as it goes. The big companies also have a lot more bureaucracy and other unproductive overhead built around testing and releasing software.
It should be noted at this point that the vast majority of open source groups, including OpenSSL, do not allow just anyone to write code for the product that they publicly release. So, this bug wasn't a case of some high school kid writing sloppy code that found its way into the finished product. OpenSSL has been around for a long time. The people who work on it are experienced developers. The hackers and amateurs were weeded out long ago.
Sadly, experienced developers are not immune to writing sloppy code. That was the case here. The OpenSSL group has not been forthcoming with exactly who did this. I applaud them for not throwing anybody under the bus. I think that first and foremost, the failure here was probably in peer review. The programmer either took on or was given a particular task to complete, coded it, did some basic testing and debugging, and added it to the mix. No one probably gave it a second look, or if they did, it was perfunctory. Granted, the bug is very subtle. I had to read through the explanations and code several times to get it. But, that leads to the second issue, which is testing. One of the fundamental requirements in software development is to do regression testing when you make a change. That means that you go back and make sure that everything that used to work still works after your change. I am convinced that this is what happened to OpenSSL. No regression testing.
A lot of big companies use open source software these days. There was a time when they wouldn't go near it for exactly this reason. However, open source software is free. At some point, the objections to it were answered and the economics of it tipped the balance. However, using it shouldn't be free. If companies are going to benefit from it, they need to step up to the plate and be good open source citizens themselves. Red Hat has adopted this stance. In cases where certain open source packages are fundamental to their business, they supply developers and testers. They pay people just to participate in open source development groups. Other companies that use open source should do the same. The fact that someone from Google discovered this indicates that they are involved. Other big companies like Facebook, Amazon, PayPal, eBay, and every single bank and credit card agency should be participating in testing and refining. Open source software should be free, but it shouldn't be invisible.
No comments:
Post a Comment