Petronella Blog Archive

Visit our New Blog

What Fixing OpenSSL Means for You

Blog Post

The lay person may see the term “OpenSSL” and wonder what it means, but to most of the web giants (read: Google, Facebook, Yahoo), it basically means everything, and it is getting a much needed security update in order to plug some pretty monstrous sinkholes.

Thousands of companies, including the US Government, use OpenSSL to encrypt online communications. OpenSSL utilizes Secure Sockets Layer (SSL) encryption for websites (and other such networks) to keep untrusted users from reading/stealing certain sensitive information on its sites.

Sounds good, right? Well, yes and no. It is good that they will be fixing the issues; however, it will also lay out essential road maps for potential hackers because they will now know exactly where to find these vulnerabilities, and enable them to more easily exploit those weaknesses. In order to help circumvent this issue, Steve Marquess, a founding partner at the OpenSSL Software Foundation, said that they will not be pre-releasing the details of the updates prior to the March 19, 2015 release date, except with their major vendors.

“We’d like to let everyone know so they can be prepared and so forth, but we have been slowly driven to a pretty brutal policy of no [advance] disclosure,” Marquess said. “One of our main revenue sources is support contracts, and we don’t even give them advance notice.”

This decision comes in the wake of last year’s “Heartbleed” which was essentially the Watergate of OpenSSL. Heartbleed occurred after a critical flaw in OpenSSL allowed any user to extract such important information as passwords, cookies, etc… from servers that had not yet updated their software; so the bugs were known but the updates were not completed, thus leaving a gaping wound in any company’s outdated security software. This left a lot of people scratching their heads, including Marquess. ““So the mystery is not that a few overworked volunteers missed this bug; the mystery is why it hasn’t happened more often.”

In contrast to Heartbleed, the March 19 updates are taking place due to an increase in donations and funding received by OpenSSL by companies who use their product, and do not want a Hearbleed II. OpenSSL was able to employ two new full-time employees for three years. These new employees are working full-time to provide increased security and stability. In addition to the outside funding, OpenSSL is also employing two other employees, whose focus is code maintenance.

“We have four people working full-time on OpenSSL doing just what needs to be done, as opposed to working on stuff that brings in revenue,” Marquess said. “We have a lot more manpower resources, and one of the reasons you’re seeing all these bug and vulnerability fixes coming out now is that not only are outsiders looking for problems but we are too. “We’re also doing a major overhaul of the source code, in conjunction with what is going to be probably the biggest crypto audit ever.”

We here at Petronella wish them the best!