The SSL debacle
By Jas Mahrra, on 14 April 2014
ISRS Fellow, Vinay Gupta comments on the recently discovered “Heartbleed” exploit
The new OpenSSL exploit, “heartbleed” illustrates some little-considered modes of failure of our modern critical infrastructure environment.
The error itself is trivial: a single line of code contains the equivalent of a minor clerical error. The bug is a little like a reverse buffer overflow: rather than letting assailants write to memory, it allows them to read from memory – including memory containing valuable information like passwords or crypto keys.
If this bug had affected one site, it would have been unimportant. However, the severely under-resourced team maintaining the OpenSSL library were actually servicing some 20% of the internet. Because the software worked and was available without cost, it was everywhere.
OpenSSL was widely regarded as a basket case from the beginning: security researchers considered the software (originally written for at most casual use) to have been built on top of far beyond its fundamental integrity. Heartbleed is not the last bug of this size that this codebase might conceal.
There are allegations that the NSA knew of heartbleed for several years and exploited it as part of on-going internet monitoring operations. The NSA strenuously denies this. There is no doubt, however, that trade on the internet has been valuable for several years because of this undetected bug, and if any agency (on any side) detected it, they would have had a substantial intelligence gathering advantage.
These issues do not start and end with e-commerce and secure email. There is every possibility that SCADA and smart cities projects are also effected, and potentially systems like aircraft avionics software development environments.
Bugs are contagious. A breached password is used to load malware, the malware is used to compromise source code, the source code opens up a back door in a factory or on a plane. Contagion was very real in the financial markets, and it is equally real in the sociotechnical systems which develop and support our high-tech economy. We must be wary.