Tuesday, April 22, 2014

Why Heartbleed Happened

Originally published on Kupeesh!

So what's up with all this HeartBleed nonsense?

What could possibly be behind the greatest crisis in Internet security since the invention of phishing emails?
How could this possibly happen?  What could possibly jeopardize the security of thousands of websites and secure services we take for granted like Google, Tumblr and even banking sites?

I have an easy answer and it points right back to the Achilles heel of Open Source. 

While proponents will argue the merits of solutions that don't come from commercial sources the one inescapable fact of Open Source software is that it's developed under mob rule.

Therein lies the problem. 

While nobody questions the benefits of Open Source software like cost and ease of customization, proponents tend to gloss over the fact that some projects are better managed than others.

Take the case of OpenSSL.  It's the foundation for thousands of web services like Google, Yahoo and even your bank.   Except that somebody wasn't minding the store and for two years the mechanism that was supposed to secure your communications...didn't.

The flaw was inadvertently discovered by Google's Neel Mehta during a routine security sweep but the flaw had been in existence for 2 years.  Overlooked by one of OpenSSL's core developers, Stephen N. Henson, the vulnerability came as the result of additional but apparently untested new functionality known as a Heartbeat for OpenSSL.  The functionality was supposed to function as little more than an "I'm still here!" beacon to whatever service you're connected to.  

The short of it is this...

The problem comes from not bothering to check that what's sent matches what was requested.  A crafty hacker can take advantage by continually sending heartbeat requests claiming to be of a certain size but not actually being that size.  The server dutifully responds by sending back a response of the claimed size to the client and inadvertently dumping the contents of its memory to fill the otherwise empty space of the response.  The contents of which have been shown to contain user credentials among other compromised information.

It's apparently a simple fix but it's taken two years for anyone to notice. 

Meanwhile, nobody knows how long the bad guys have been aware of the flaw.  How can something like this get by the supposed vigilance of security gurus and major corporations alike? 
I can tell you how, it's endemic, it's cultural and it's arrogance...

It's a misguided belief that oversight of a product is best left to a community regardless of its qualifications to do so.  A community that frequently finds itself more concerned with the technical wizardry of its products than the users who deploy them

It's the same mindset that's kept other Open Source offerings like Linux in the shadows of Windows.  Let's be honest here.  You can only stomach so many unintelligible whitepapers or narcissistic support forum posts before you just give up.  The inmates are indeed running the asylum...

Heartbleed shines a light on the failure of the Open Source community in that it lays open the lack of even the most basic oversight of a critical and widely used service.  It's not so much about the failure of OpenSSL but rather that nobody including its chief stewards noticed the problem for two years.

This is nothing less than a reality check on the entire Open Source community.  One that should be raising questions in anyone that relies on their wares.