Heartbleed (OpenSSL exploit)

**AetheLove** · 04-13-14, 09:38 AM

Originally Posted by Gumby

Isn't finding this sort of thing supposed to be a strength of the open source model? Why didn't security researchers find this sooner?

It is a strength of the open source model.

Programmers make mistakes. Software has bugs. No model fixes that problem.

[optimists among us would say "no model fixes that problem yet"]

There are upsides and downsides to both open- and closed-source models. Because of the nature of closed-source, there are lots of interesting comparisons that can't be made - half the data isn't available. But we do know of many examples of catastrophic security bugs in closed-source software that went unfixed for much longer than two years. We have examples of security bugs that were known by the vendor but kept secret from vulnerable parties.

As soon as this bug was discovered it was announced and fixed. The response to the problem was exactly what you hope all responses could be - everyone was told how the bug worked, everyone was told how to fix it, and everyone was told what possible damage had been done.

Heartbleed Bug

What Heartbleed Can Teach The OSS Community About Marketing | Kalzumeus Software

Cheers,

AetheLove

**hannibal** · 04-13-14, 02:11 PM

Originally Posted by AetheLove

It is a strength of the open source model.

Programmers make mistakes. Software has bugs. No model fixes that problem.

[optimists among us would say "no model fixes that problem yet"]

There are upsides and downsides to both open- and closed-source models. Because of the nature of closed-source, there are lots of interesting comparisons that can't be made - half the data isn't available. But we do know of many examples of catastrophic security bugs in closed-source software that went unfixed for much longer than two years. We have examples of security bugs that were known by the vendor but kept secret from vulnerable parties.

As soon as this bug was discovered it was announced and fixed. The response to the problem was exactly what you hope all responses could be - everyone was told how the bug worked, everyone was told how to fix it, and everyone was told what possible damage had been done.

Heartbleed Bug

What Heartbleed Can Teach The OSS Community About Marketing | Kalzumeus Software

Cheers,

AetheLove

To Gumby's point though one of the problems that open source creates is a process problem. Project operate with the same political pressures as companies or any other large group. The guy who checked this bug into the code was well known and as a result his code was trusted almost implicitly.

It take a lot of discipline to run an OSS project and you almost need a dictator, a la Linus Torvalds. Open SSL was using something more akin to the bazaar model which is fine for projects that aren't mission critical.

tl;dr The problem wasn't that a mistake was made, the problem was the process OpenSSL uses.

-H

**Red_Lizard2** · 04-14-14, 09:24 PM

Originally Posted by Gumby

Isn't finding this sort of thing supposed to be a strength of the open source model? Why didn't security researchers find this sooner?

Sent from my S3 using Tapatalk

Supposedly (if you believe anonymous sources) the NSA found it a couple years ago. They just decided not to speak up
Report: NSA Used Heartbleed to Spy on People for Years