SAN FRANCISCO—Experts have stressed this week that DROWN is no Heartbleed, but at some point in the not too distant future, there’s going to be another major Internet vulnerability and developers at OpenSSL claim they’re battle tested.
Rich Salz and Tim Hudson, members of OpenSSL’s development team, described in a talk at RSA Conference this week some of the challenges the group had to deal with before the bug, and the strides the team has made in the nearly two years since.
“It will happen again,” Hudson said, “There are Heartbleeds out there waiting to happen, but by hanging our dirty laundry out, we’re hoping people can learn.”
Hudson said perhaps the best thing that’s happened to OpenSSL in the last two years is that it has a formal decision making process now which the group applies when deciding to remove old crypto from the code, or dropping support for export-grade crypto ciphers. Admitting that the while the group doesn’t agree on everything all the time, he says the group can reach a decision in a defined time period, something it couldn’t do before.
In the months after Heartbleed, largely thanks to Core Infrastructure Initiative funding, OpenSSL went through a lot of changes, chief among them its growth from a two member skeleton crew to 15 members.
But it wasn’t until after Heartbleed that the group had its first face-to-face meeting. The group was able to draft major policies, release strategies, and enact a security policy. For the first time the group had an opportunity to outline severity levels, define exactly how worrisome a vulnerability is, and how to notify the public.
“If there’s a Heartbleed 2.0, it’ll be marked critical,”Salz said.
Before the meeting, it would’ve been difficult to qualify a vulnerability like DROWN, the bug disclosed earlier this week that exposes 33 percent of HTTPS connections to attack. Now when a vulnerability comes to light, there’s a prescribed set of protocols to follow.
Also, before Heartbleed there was a real concern around crypto export controls and even meeting in the U.S. for fear of arrest, something that impeded their work as well.
“We were ultra cautious,” Salz said, adding that sometimes developers worked with a “don’t touch anything because you might break it and if you do we don’t have a lot of time to fix it” mentality.
While the group has benefited from the CII’s funding, the mainstream press’ reaction to Heartbleed, something Hudson jokingly referred to as the “Kardashian effect,” didn’t hurt either.
With every researcher out there trying to find the next Heartbleed, the amount of testing being done is astronomically higher than before the bug, Hudson said. Mandatory team member code reviews, coupled with updated analysis tools, and having project team members in different time zones, so issues often get a fresh set of eyes on it, has helped as well.
Documenting changes through Github has helped the group maintain transparency and efficiency, Salz said, citing an instance in January when researcher filed a crash bug and OpenSSL fixed it in 15 minutes.
I filed a crash bug to #OpenSSL, got a fix and verified it – within 15 minutes! The fix: https://t.co/dOyLgTZJC3
— daniel:// stenberg:// (@bagder) January 14, 2016
While it wasn’t fun for the coding team and other members who essentially had to ‘re-key’ the internet, the positives really outweighed the negatives, according to Hudson; Heartbleed gave the group a renewed focus.
There’s still work to do however, especially when it comes to bug tracking, Salz said. Fixing a bug in 15 minutes is not the norm.
“We’ve gotten better, but not good enough, there’s too many bugs, old ones,” he said, ” We’ll never get to zero, but we’re seeing more sharing and contributing.”
“Every time you have humans building something, there will be mistakes,” Hudson added.