Heartbleed and Heartache in FOSS Town
Apr 21, 2014 9:58 PM PT
That the bug is "catastrophic" appears to be beyond dispute; in fact, "some might argue that it is the worst vulnerability found (at least in terms of its potential impact) since commercial traffic began to flow on the Internet," as at least one commentator suggested.
The fact that the flaw exists in OpenSSL, of course, is what's made the topic particularly pertinent to those of us in the FOSS world.
'Is Open Source to Blame?'
Bottom line? Let's just say tensions have been running high down at the Linux blogosphere's seedy Broken Windows Lounge, where Linux Girl's favorite barstool hasn't had a chance to cool off all week.
'I Find It Exciting'
"The Heartbleed story is both sad and exciting," blogger Robert Pogson told Linux Girl.
"Of course, we should be sad that a serious hole was so widespread," Pogson explained.
At the same time, "I find it exciting that openSSL has been shown to be such a critical piece of the infrastructure of IT," he added. "This both demonstrates the wide acceptance of FLOSS and should prompt all of us who depend on IT working to support FLOSS more by creating, maintaining, surveying and testing packages of all kinds. Big users of IT should give back by paying FLOSS programmers, hunting down bugs and doing code surveys."
The bottom line, however, is that the bug lingered for years; "if the code had been hidden from the world, it might have lived for decades," Pogson suggested. "Because openSSL is FLOSS, no one was forbidden to examine the code, enquire into how it works and propose improvements."
'A Success for FOSS'
Linux Rants blogger Mike Stone had an even more upbeat take.
"Oddly, I consider Heartbleed to be a success for FOSS," Stone told Linux Girl. "Granted, no one wants bugs or security vulnerabilities. I'm sure we'd all prefer that it never happened, but these kinds of things do happen, even in FOSS."
What's interesting is to compare with how a similar scenario would have played out in a closed environment, he added.
"The original author didn't spot this vulnerability, and it was missed upon review as well," Stone recounted. "If this were Windows/OSX, the very same thing could have happened. In that instance, the code wouldn't have been available for review, and only Microsoft/Apple could have fixed the problem and released a solution."
In other words, it would have been "a much worse situation," Stone concluded. "As it is, once the problem was identified, the error was found quickly and fixes were virtually instantaneously available from multiple sources. Short of not happening at all, this feels like a best case outcome."
Indeed, "any software that has zeros and ones in it will have bugs," Google+ blogger Kevin O'Brien said. "To say that this is a weakness of Open Source is essentially ideological BS by people who are fans of proprietary software. And if proprietary software is so good, why is Adobe a perpetual source of serious security flaws?"
There are takeaway lessons, however,
"First, Debian reported they had patched the problem in less than an hour from when they heard of it," O'Brien pointed out. "Second, just because the code can be viewed does not mean anyone is going to rigorously inspect it. And doing a good job of that takes time, money and other resources."
How can we make this happen? "Imagine if the NSA spent their time making our infrastructure more secure instead of trying as hard as possible to introduce deliberate insecurities," he concluded. "That would be a good use of our tax dollars."
'Really, Really Bad'
What's impressive "is not the scope of the problem but rather the fallout," Travers opined. "This bug casts great doubt on Google's anti-CRL-checking stance regarding Chrome -- one of our certificates for Efficito never made it to Google's CRLset, meaning that unless you explicitly tell Chrome to check, it will recognize the certificate as valid, which is really, really bad."
In general, though, "the open source community has been very good about communicating with people about risk assessment and mitigation," he concluded. "This has been true with everything from PostgreSQL to LedgerSMB. If the problem was severe, the response has been very good for the most part."
'It Was Only a Matter of Time'
FOSS fans "are quick to say that it is better than the other guy's software because 'many eyes make the bugs shallow,' but if the eyes are looking at the television, or Google+ or whatever instead of the code, things can be missed," noted Google+ blogger Brett Legree.
"There is something to be said for paying people to audit code, and since a lot of this work is done freely, I have to say that in all honesty I was not surprised by Heartbleed," Legree added. "It was only a matter of time."
Indeed, "the bug goes to show 'many eyes' is still a myth since it sat there for two years in one of the most popular software implementations and nobody noticed it," SoylentNews blogger hairyfeet said. "Complex software will always have bugs -- being FOSS doesn't magically improve the quality of the code."
'A Wake-Up Call'
The situation "isn't about Open vs closed source," consultant and Slashdot blogger Gerhard Mack began. Rather, "this is about the 'squeaky wheel gets the grease.'
"Even in business environments there is often that one component that everyone uses but no one thinks about because it does what it is supposed to, and because everyone is busy with things that they know need their attention, no one has time to look at it," Mack explained.
"Hopefully," he concluded, "this serves as a wake-up call for everyone to examine those components that 'just work.'"