> HIGH Severity. This includes issues that are of a lower risk than critical, perhaps due to affecting less common configurations, or which are less likely to be exploitable. These issues will be kept private and will trigger a new release of all supported versions. We will attempt to keep the time these issues are private to a minimum; our aim would be no longer than a month where this is something under our control
So something to make sure you update, but not a Heartbleed level concern
I really like the lead time. It gives everyone time to prepare to patch ASAP when it is released without having the vulnerability available to attackers through diffing the binary.
On the other hand, it gives people that found the vulnerability independently a bit of extra time to exploit.
> It gives everyone time to prepare to patch ASAP when it is released without having the vulnerability available to attackers through diffing the binary.
It’s an open source library so the code of the patch will be available as soon as it’s published. It’s not released as a compiled library.
Yes, indeed in the case of OpenSSL indeed but I was referring to applying the practice in general. With an open source product the lead time is even more important. Even then, they could release the binaries from a private branch/repository so that packages can be updated before the source is released.
I would probably use OpenSSL in preference to LibreSSL at this point. The dev culture point you’re trying to make hasn’t really been true for many years.
Somewhat ironically to this circumstance (assuming it doesn't affect LibreSSL), the Void team has just switched back away from LibreSSL which it shipped by default with for years.
AFAIK every other linux distro shipping with or providing options for LibreSSL also switched around the same time frame, e.g. Gentoo dropped all support for it. It's just not feasible to build 3rd party software (that are targeting OpenSSL) with it anymore (obviously, if you targeted libressl specifically, there's no problem, but almost nothing does). Maintainers have just gotten tired of writing giant patches to get things like Qt5 working again.
Yes, but knowing others, particularly in other companies, expect downtime on Tuesdays as a result, wouldn't you also pick the day everyone expects that downtime?
Sure, but still strange to release this on a Thursday afternoon. This means that everyone who depends on OpenSSL needs to rebuild and test and will have an update ready on Friday afternoon in the best case.
Who wants to roll out any kind of update to their production systems on a Friday afternoon ? That’s just asking for trouble.
On the other hand, this is a high severity issue in security critical code that has had huge exploits in the past (heartbleed). This is the kind of security patch a good ops team is expecting and ready to handle at a moment's notice. It's far less annoying to do a Friday afternoon update than deal with active exploits all weekend.
And I ask myself if announcing a fix with a few days lead time: 1. increases searches for the exploit 2. causes those with the exploit to utilize it as often as possible before its planned enddate.
Can't believe that, in God's year 2021, 3rd millennia, Earth, we're still using security libraries written in what is essentially a portable assembly language, doing silly things like pointer arithmetic, manually allocating memory, and other chainsaw juggling feats.
I swear some day we'll look back to this period with bewilderment: son, in those days people used to smoke carcinogens for their taste, drive their own cars and treat mental disorders with an ice pick in the prefrontal cortex. Trully mad men would even implement X.509 in unsafe languages.
It would be good to know if this vulnerability was related to memory safety before pinning it on memory safety. You can get cryptography just as wrong in Rust or Go.
No argument from me that you can easily go wrong in any language, but I would argue that Rust has features other than memory safety that can also assist in building more reliable/secure software.
The Rust type system can define parts of the state machine that can help guarantee certain states are true at compile time.
This is very helpful for not using cryptography libraries incorrectly, or not accidentally using the wrong data at different points of implementing functions.
Generally more applicable to higher level use cases, the ring[1] library is a great example of how the algorithms (same impls as OpenSSL) are exposed to end users.
I like Ring but I don't think there's a lot of evidence that Rust's type system has effectively prevented cryptography errors, either in protocol state machines or in primitive implementations.
The challenge in avoiding cryptography mistakes is that you have to understand the errors before you can avoid them. Short of formal analysis with provers, I don't think there's a level of programming rigor that gets you away from most (maybe any?) of the last 10-15 years of (say) {TLS,JWT} bugs.
I look forward to discussing that on the 25th when we have more information.
Evidence of this nature will always be difficult, though, since it’s very difficult to prove a negative. We can only prove that some specific issue hasn’t yet occurred.
From what I remember, you can't write a secure cryptography library in pure Rust because it has no guarantees that would stop timing-based vulnerabilities.
Edit: I'm not disagreeing that C compilers are free to optimize stuff like this out; this comment is for people who (like me) thought that serious projects always used assembly for constant time operations.
Which is prime example as to how C does not consider timing to be observable behavior. What the code does is that it tries to specify the operation in sufficiently complex way that makes compiler give up on any optimizations.
Note how this problem of "sufficient complexity" is an asymmetric problem between code author and compiler. A rather simple transformation implemented by the author to make the code constant-time may require NP-hard effort for the compiler to undo.
(but then the compiler may still do other unrelated transformations that end up making the code non-constant time again)
There's nothing that guarantees that's constant-time. It's just written in a way that's likely to be constant-time, and observed to be constant-time with current compilers, but there's no reason why a specification-compliant compiler couldn't make it variable-time tomorrow.
You can do exactly the same in Rust. Rust isn't any help there, but it doesn't obstruct you either.
We've had code in OpenSSL written in C that was constant time until a newer version of both gcc and clang recognized (mask & a | ~mask & b) as a conditional assign and could do things like turn it into a branch.
Edit: It can turn "b = foo(); c = (mask & a | ~mask & b)" into "if (mask) c = a; else c = foo();"
While this is a true statement, it doesn't feel accurate. Rust's type system offers a significant number of features over that of C beyond just memory safety. These come in the form of safe unions (with Rust enums), Generics with ZeroSizedTypes for ensuring states of computation happen in the proper order, safe destructuring of values such that the wrong field isn't referenced.
Point being, a Rust library that incorporates these type of safety measures can help significantly reduce programming errors beyond just memory safety issues.
Memory errors and the sort of logic errors you described are one source of program errors, but I think the more devious ones are much higher level. There's a general taboo surrounding rolling your own crypto for a reason -- there are too many high level footguns that have nothing to do with raw program logic that can make a crypto system insecure or vulnerable to some kind of exploit, not necessarily relating to the code at all! Problems in randomness, distribution, other things beyond my pay grade.
Rust being higher level will prevent errors, yes, but crypto is hard on a whole other level. It's worth "waiting and seeing" what sort of vuln this is before jumping all in on the rust train this time ;-)
If you're looking for me to argue with you that C is an acceptable substitute for languages like Rust and Go, you're barking up the wrong tree. It's not. But that doesn't mean we can simply bucket every vulnerability in a memory-unsafe program as a casualty of memory-unsafety, especially in programs like OpenSSL, which host a large domain of other vulnerabilities that are equally present in Rust and Go code.
Cryptography might be the one single place where I'd look askance at replacing memory-unsafe code with memory-safe de novo implementations. Fortunately, you mostly don't have that dilemma; there are good options in Go and Rust. But a lot of energy goes into auditing the cryptography code in OpenSSL. Certainly, you might reasonably pick OpenSSL over some random high-level implementation nobody is auditing.
That's why I think it's worth calling this out.
Odds are, it's some dumb memory corruption thing. But we don't know yet. OpenSSL sev:hi tends to mean "dubiously exploitable crasher", and good crypto bugs in OpenSSL tend to be sev:med.
>in those days people used to smoke carcinogens for their taste, drive their own cars and treat mental disorders with an ice pick in the prefrontal cortex
Do you imagine a future where nobody is able to drive cars? Not even for fun?
I want all serious software that's written in C to be replaced with something like Rust, but I write C for fun. It's fun to do dangerous things. It's just bad to have danger as the modus operandi.
I like doing dangerous things for fun too. (See also: my 50 mph scooter.)
I think we should mitigate risk in serious software in many holistic ways such as formal verification, fuzzing, anomaly detection, good/defensive coding standards, code reviews, and so forth. Such can be accomplished in C, but it maybe easier in languages such as Rust. The advantage of C is ubiquitous portability, which is necessary for widely-used libraries.
You're right there's a lot of tools out there to help with writing secure code in C. I suppose I feel safer knowing Rust enforces some memory safey, but that isn't guaranteed either -- you could just use unsafe{} blocks everywhere.
Sure, it’s important for a library to have C source code for portability. That doesn’t exclude implementing the code in another language (such as F*/FStar or Dafny) that has stronger out-of-the-box safety guarantees, then compiling it to portable C source code for distribution.
so..`yholio` Rants asside what is your valuable contribution to the library or creating a new impecable one? I'm acutally glad we have such powerfull library available for free and using open source code so we can audit it and find bugs
It's swiss-army chainsaw juggling with a kitchen-sink of unnecessary features, bloat, and poor coding hygiene.
C isn't the problem per se, it's the lack of quality, formal rigor, and testing that these slap-dash developers foist on the world. It's a steaming pile, and people wonder why it has security vulnerabilities over and over again. It's doing the same damn thing and expecting a different result: C maybe part of it, but its developers just aren't that great.
It's a fork of swiss-army chainsaw juggling with training wheels. It is a slowly-dying project because it's not keeping up and distros are dropping it. It's not a viable alternative.
I dont see why this is being downvoted, in context of the parent comment
> we're still using security libraries written in what is essentially a portable assembly language, doing silly things like pointer arithmetic, manually allocating memory, and other chainsaw juggling feats.
Ok. So I'm pointing out that Go actually doesn't do such a "silly" thing...
We don't know what the vulnerability is yet. Sure it could be a buffer overflow, readily possible in a language like C, or could be a bug in the crypto/implementation itself, no memory safe language will save you there.
I just started wondering, if things were any better if security libraries were written in higher level languages, depending on on a huge run-time support system that is written in what is essentially a portable assembly language, doing silly things like pointer arithmetic, manually allocating memory and so on... :)
> Can't believe that, in God's year 2021, 3rd millennia, Earth, we're still using security libraries written in what is essentially a portable assembly language, doing silly things like pointer arithmetic, manually allocating memory, and other chainsaw juggling feats.
I suppose the flip side of this view is just how easy it is to underestimate what a truly enormous amount of work it would take to completely reimplement all these 'chainsaw juggling feats' that are used all over the place, day in and day out.
This is why we need simple systems above all. That also means having protocols and in general technologies that are as simple as possible while of course being useful. Especially in basic infrastructure, the cost of every new feature should be evaluated as a priority. The cost of bugs also should be considered. Libraries the world basically depends on should be an example how to do these things right.
The reality is, we see constant stream of patches to bugs we know for certain are security related to basically any software we use all the time. Am I the only one to think every such patch should be delivered with sweat running down our backs asking ourself how this could have happened at all in such critical software? Instead we introduce regular patch days, responsible disclosure and other protocols that don't solve the issue itself, that basically our software stacks are not maintainable at all if we are being frank.
In my opinion, we will have no dependable security until a handful of skilled engineers are together able to understand the systems we use fully. One can understand the more low level stuff, the other maybe the middle etc. with some reasonable overlaps so the security of the stack as a whole can be reasonable evaluated and maintained. This is currently just not realistic with any team size, when even the firmware of our CPUs has to be patched constantly. I mean, when you launch e.g. Gmail, who really understands everything from the JavaScript until basically the lowest level firmware in a clients computer? I guess, nobody and not even any team on the planet comes even close to grasping the full depth and breadth of the stack. Therefore the security and other quality related aspects cannot be evaluated without broad oversimplification that really doesn't add anything to the discussion.
If we don't wont to really change our ways, we should at least be frank and say that the software we actually use will never be fully secure, correct or dependable. Just as much as bridges fall, dams break and fallen power-lines create widespread fires we are just not able to handle this stuff reliably. If that is not scary enough, just imagine the software and other infrastructure handling security at nuclear power plants, processing centres and weapons. (And no, engineers are not the only ones having no clue. Doctors, medics etc. don't have a clue either as we see with the pandemic, still unsolved diseases everywhere, even stuff like hearing loss from stress is not understood well.)
What a time for the Linux community to have dropped even their pensive LibreSSL support. Void? Switched back. Anything Debian-based using LibreSSL? Appears dead in the water from what I can find.
Even compile-your-own-OS Gentoo has rolled back any support.
All because large projects like Qt (the widget project) decided to force OpenSSL users to be fully up to date.
Turns out, the legacy calls to OpenSSL were how replacement TLS libraries managed to maintain wide compatibility. And losing compatibility for upcoming Qt6? Was a death knell.
Then again, the OpenBSD folks' choice to avoid implementing TLS3 really didnt help us here.
Finding their team almost as dev-starved as OpenSSL was during the heartBleed days? Has slowed their ability to catch up to the api of OpenSSL. And i wonder if thats same starvation prompted the anti-TLS3 stance.
The problem is not the language! If C is not sufficiently safe for you, you shouldn't take planes, or drive cars, or rely on medical devices, because the software of all these critical embedded system is written in C.
The problem is on how you write the software. There are projects that have strict code standard, such as MISRA C or even stricter ones. The problem is that such a critical software (well, relatively critical, because if there is a bug in a security library nobody dies in the end) is not written to that standards.
Static analysis tools should also be a normal part of the development process regardless of the language being used. Unfortunately, the good tools cost money and that discourages developers (and managers) from using them.
> if there is a bug in a security library nobody dies in the end
The University Hospital Düsseldorf (UKD) in Germany suffered a ransomware attack on September 10, 2020. The attackers exploited a vulnerability in the Citrix ADC that had been known since January but the hospital, unfortunately, had not got around to implementing the fix.
Unfortunately, one patient with a life-threatening illness was diverted to a distant hospital after UKD was deregistered as an emergency care facility. The additional hour’s travel may have been the cause of the patient’s death. On September 18, 2020, German prosecutors launched an official negligent homicide investigation which, if confirmed, would make the patient’s death the first known case of death by hacking.
yes, the problem is not the language. The problem is that OpenSSL has just became so important that It shouldn't not rely on C language any more. We have so much better tools now.
And are very proud of it. Medical equipment is not all implemented in embedded C systems.
And since modern embedded systems can easily run python or embedded JS versions, well, perhaps certain critical libs can actually get implemented in something that does not deal with memory... and the 5-10% penalty in performance is not going to be something anyone really notes.
It is. A language that lets you write unsafe code is an unsafe language.
> If C is not sufficiently safe for you, you shouldn't take planes, or drive cars, or rely on medical devices, because the software of all these critical embedded system is written in C.
Citation needed. I would expect those programs to be written on a language with very strict types and no pointer arithmetic bullshit, like Ada.
And even if some of these software pieces are written in C, (a) that's very bad, too, and (b) it may be more suitable for those scenarios. But a program that reads and parsers unlimited amounts of user input, supports an ever growing list of complex (and often improperly defined) protocols, and is edited/expanded/updated daily, is definitely not such a suitable scenario.
> The problem is on how you write the software. There are projects that have strict code standard, such as MISRA C or even stricter ones.
Again, the problem is the language, not how you use it. If the security of a piece depends on how it is manipulated, it is by default insecure. A secure language shouldn't let users make mistakes (or at least avoid them to a very high degree, both in compilation and run time). And a library that is the backbone of the confidentiality and privacy of millions of people (and billions of dollars in businesses) should be written on a secure language.
Even safety critical software can run reliably for the range of inputs that it's likely to ever see, but contain security holes.
For something like OpenSSL, it must produce a correct output for every single possible input. Even safety critical software may extremely rarely fail in unusual conditions. For security sensitive software though, all it takes is a single possible input that will trigger a bug, because the attacker is not a random process.
Writing secure software in C is extremely difficult.
That's like having a field full of mines and then arguing that the field is not dangerous because you have a map of the mines. If you have to develop strict coding standards not just to write reliable code but to avoid the pitfalls of a language that others don't have, then that proves that the language sucks.
We have languages that can provide certain levels of MISRA safety even if you are a novice programmer.Blaming the users for not following the correct guidelines (that barely anyone follows except for the people paid to follow them) completely misses the point.
As one of the OpenSSL maintainers, I would like to move away from C and probably to rust. But the problem is that C is the most portable language, and rust's platform support just isn't close enough.
1. There is no such thing as a safe or unsafe language. Safety is relative and impossible to guarantee. Even "memory safety" often just means "memory tradeoffs".
2. Inline assembly is often a necessary evil to create implementations of crypto libraries in C... not using it would be worse.
3. It's all machine code under the covers. Whether one developer poorly juggles chainsaws or your high-level language poorly juggles chainsaws is not a question of better or worse, but taste.
4. It's X.509. It sucks in every language.
5. Just because it's in C doesn't mean it sucks. There are alternative libraries that intentionally avoid sucky design. (https://nacl.cr.yp.to/internals.html)
6. Show me another language that's as portable and powerful as C, and cryptographers will probably start using it.
Please, don't do this any more. You're not winning any friends and Rust and Go both have serious issues, mainly the sheer bulk, which will ensure they never, EVER make it into certain market segments.
Moreover, you come across as an obnoxious, and likely paid astroturfer. Stop telling people to use your silly "safe" software. Who wants to be a part of a community with people like YOU in it?
Please don't break the site guidelines like this, regardless of how wrong another comment is or you feel it is. We ban accounts that do that. If you wouldn't mind reviewing https://news.ycombinator.com/newsguidelines.html and sticking to the rules when posting here, we'd be grateful.
For the average developer what do I need to do? I don't use OpenSSL directly but I'm pretty sure some parts of my tech stack use it as a dependency. Do I simply need to run `apt-get upgrade` on the 25th?
Watch the debian security mailing list for information about when their fix is available to others through apt: https://lists.debian.org/debian-security-announce/ In general you should be following this list if you're managing production services running debian or ubuntu.
> Do I simply need to run `apt-get upgrade` on the 25th?
Mostly, but some details matter.
Make sure that when you do the upgrade, that you are fetching the fixed version. Check for the security announcement and see which version things get fixed in:
(I am also currently available on part-time freelance basis, feel free to contact me if you need commercial support on your endeavour to structurally address your TLS security issues.)
Apps build rustls into a fat binary, which doesn't get updated on day zero by the OS package manager. It requires a new release by the app maintainer for each app.
Talking to things that only support TLS 1.0. :( some old mail thing which doesn't know what year it is. I think min TLS 1.2 is probably fine for a new library, but I also think believing it's universal is pretty web centric.
TLS 1.0 isn't secure. I'd rather insecure protocols and primitives not be included in a mainstream library. Maybe offer some extension library to allow support, but the default shouldn't have any risk of including such code in a way that it could be usable by a careless programmer. Same for MD5 and SHA1.
You can find it if you have a generic "suspicious looking code" check. And you can find it if you have a protocol regression test. But do you have a model of TLS that proves incorrect code paths like this don't exist?
It included some server states in the client state machine, so if a client sent the server its own "authentication successful" message it… just let them in.
Any idea when rustls will hit 1.0? I feel a little unsafe using a <1.0 library because (assuming it's following SemVer) as it might not be "done"/production ready and the API might change a lot before it hits 1.0.
The API has generally been pretty stable, so I don't think you should be too worried about that. I haven't talked to other stakeholders about a version 1.0, and we actually have some larger API changes cooking right now. For now we probably value the ability to change the API more, especially because there are likely still ways we can make it more robust/secure.
Do you support ppc64le? WebAssembly? Not a requirement for me, but the fact that ring has no portable implementations is concerning. How do you verify correctness without a baseline? Evercrypt seems like a much better option on that front.
I think ring does support WebAssembly. Yeah, the ASM in ring is not great, but unfortunately Rust does not currently provide us with all the guarantees we need to write safe crypto code (for example, timing guarantees). We hope this will change fairly soon, though, so we can port all the underlying crypto to Rust.
I am all for shared libraries. Update openssl and everything else gets the patch. With rust/go, now I have to wait for all the authors to release their fat binaries of the same dependencies
There was a post here a few days ago by one of the Gentoo maintainers talking about how static builds are bad and this exact reason (security vulnerability that touches lots of things) was one mentioned.
Site appears to be hugged to death. Here's the full text of the email:
The OpenSSL project team would like to announce the forthcoming
release of OpenSSL version 1.1.1k.
This release will be made available on Thursday 25th March 2021
between 1300-1700 UTC.
OpenSSL 1.1.1k is a security-fix release. The highest severity issue
fixed in this release is HIGH:
https://www.openssl.org/policies/secpolicy.html#high
Yours
The OpenSSL Project Team
This is a pretty low-information post and the discussion is therefore pretty generic. In such cases it's better to wait until the thing actually comes out, and with it enough information to support a specific discussion.
dang, do you think the fact that this is announcing a date in the future to look out for potentially an exploitable issue and folks may want to discuss ways to mitigate that?
127 comments
[ 2.8 ms ] story [ 202 ms ] threadThe last high severity fix in OpenSSL was this past December.
[1] https://www.openssl.org/policies/secpolicy.html
It would have been CRITICAL.
[1] - https://www.openssl.org/blog/blog/2015/09/28/critical-securi...
So something to make sure you update, but not a Heartbleed level concern
e.g. see https://mta.openssl.org/pipermail/openssl-announce/2021-Febr...
On the other hand, it gives people that found the vulnerability independently a bit of extra time to exploit.
It’s an open source library so the code of the patch will be available as soon as it’s published. It’s not released as a compiled library.
For some reason, companies decided to put money into the known-bad openssl instead, as if money could fix a bad development culture.
Discussion: https://github.com/void-linux/void-packages/issues/20935
you can do better, my friend. you are worth better.
Who wants to roll out any kind of update to their production systems on a Friday afternoon ? That’s just asking for trouble.
https://web.archive.org/web/20210322203019/https://mta.opens...
I swear some day we'll look back to this period with bewilderment: son, in those days people used to smoke carcinogens for their taste, drive their own cars and treat mental disorders with an ice pick in the prefrontal cortex. Trully mad men would even implement X.509 in unsafe languages.
Pattern matching has nothing to do with security or program safety.
This is very helpful for not using cryptography libraries incorrectly, or not accidentally using the wrong data at different points of implementing functions.
Generally more applicable to higher level use cases, the ring[1] library is a great example of how the algorithms (same impls as OpenSSL) are exposed to end users.
[1]: https://github.com/briansmith/ring
The challenge in avoiding cryptography mistakes is that you have to understand the errors before you can avoid them. Short of formal analysis with provers, I don't think there's a level of programming rigor that gets you away from most (maybe any?) of the last 10-15 years of (say) {TLS,JWT} bugs.
Evidence of this nature will always be difficult, though, since it’s very difficult to prove a negative. We can only prove that some specific issue hasn’t yet occurred.
https://github.com/jedisct1/libsodium/blob/ae4add868124a32d4...
Edit: I'm not disagreeing that C compilers are free to optimize stuff like this out; this comment is for people who (like me) thought that serious projects always used assembly for constant time operations.
https://docs.rs/subtle/2.4.0/src/subtle/lib.rs.html#226-244 - the impl for [u8], where the per-element ct_eq is
https://docs.rs/subtle/2.4.0/src/subtle/lib.rs.html#259-272 - the impl for u8
(but then the compiler may still do other unrelated transformations that end up making the code non-constant time again)
You can do exactly the same in Rust. Rust isn't any help there, but it doesn't obstruct you either.
Edit: It can turn "b = foo(); c = (mask & a | ~mask & b)" into "if (mask) c = a; else c = foo();"
Point being, a Rust library that incorporates these type of safety measures can help significantly reduce programming errors beyond just memory safety issues.
Rust being higher level will prevent errors, yes, but crypto is hard on a whole other level. It's worth "waiting and seeing" what sort of vuln this is before jumping all in on the rust train this time ;-)
That's why I think it's worth calling this out.
Odds are, it's some dumb memory corruption thing. But we don't know yet. OpenSSL sev:hi tends to mean "dubiously exploitable crasher", and good crypto bugs in OpenSSL tend to be sev:med.
Do you imagine a future where nobody is able to drive cars? Not even for fun?
I want all serious software that's written in C to be replaced with something like Rust, but I write C for fun. It's fun to do dangerous things. It's just bad to have danger as the modus operandi.
I think we should mitigate risk in serious software in many holistic ways such as formal verification, fuzzing, anomaly detection, good/defensive coding standards, code reviews, and so forth. Such can be accomplished in C, but it maybe easier in languages such as Rust. The advantage of C is ubiquitous portability, which is necessary for widely-used libraries.
Open source didn’t stop Heartbleed
C isn't the problem per se, it's the lack of quality, formal rigor, and testing that these slap-dash developers foist on the world. It's a steaming pile, and people wonder why it has security vulnerabilities over and over again. It's doing the same damn thing and expecting a different result: C maybe part of it, but its developers just aren't that great.
It's not a "viable alternative" because nobody cares enough to test their code against it.
https://groups.google.com/g/golang-nuts/c/0za-R3wVaeQ
> we're still using security libraries written in what is essentially a portable assembly language, doing silly things like pointer arithmetic, manually allocating memory, and other chainsaw juggling feats.
Ok. So I'm pointing out that Go actually doesn't do such a "silly" thing...
[0] - JS ¯\_(ツ)_/¯
I suppose the flip side of this view is just how easy it is to underestimate what a truly enormous amount of work it would take to completely reimplement all these 'chainsaw juggling feats' that are used all over the place, day in and day out.
The reality is, we see constant stream of patches to bugs we know for certain are security related to basically any software we use all the time. Am I the only one to think every such patch should be delivered with sweat running down our backs asking ourself how this could have happened at all in such critical software? Instead we introduce regular patch days, responsible disclosure and other protocols that don't solve the issue itself, that basically our software stacks are not maintainable at all if we are being frank.
In my opinion, we will have no dependable security until a handful of skilled engineers are together able to understand the systems we use fully. One can understand the more low level stuff, the other maybe the middle etc. with some reasonable overlaps so the security of the stack as a whole can be reasonable evaluated and maintained. This is currently just not realistic with any team size, when even the firmware of our CPUs has to be patched constantly. I mean, when you launch e.g. Gmail, who really understands everything from the JavaScript until basically the lowest level firmware in a clients computer? I guess, nobody and not even any team on the planet comes even close to grasping the full depth and breadth of the stack. Therefore the security and other quality related aspects cannot be evaluated without broad oversimplification that really doesn't add anything to the discussion.
If we don't wont to really change our ways, we should at least be frank and say that the software we actually use will never be fully secure, correct or dependable. Just as much as bridges fall, dams break and fallen power-lines create widespread fires we are just not able to handle this stuff reliably. If that is not scary enough, just imagine the software and other infrastructure handling security at nuclear power plants, processing centres and weapons. (And no, engineers are not the only ones having no clue. Doctors, medics etc. don't have a clue either as we see with the pandemic, still unsolved diseases everywhere, even stuff like hearing loss from stress is not understood well.)
Even compile-your-own-OS Gentoo has rolled back any support.
All because large projects like Qt (the widget project) decided to force OpenSSL users to be fully up to date.
Turns out, the legacy calls to OpenSSL were how replacement TLS libraries managed to maintain wide compatibility. And losing compatibility for upcoming Qt6? Was a death knell.
Then again, the OpenBSD folks' choice to avoid implementing TLS3 really didnt help us here.
Finding their team almost as dev-starved as OpenSSL was during the heartBleed days? Has slowed their ability to catch up to the api of OpenSSL. And i wonder if thats same starvation prompted the anti-TLS3 stance.
The problem is on how you write the software. There are projects that have strict code standard, such as MISRA C or even stricter ones. The problem is that such a critical software (well, relatively critical, because if there is a bug in a security library nobody dies in the end) is not written to that standards.
The University Hospital Düsseldorf (UKD) in Germany suffered a ransomware attack on September 10, 2020. The attackers exploited a vulnerability in the Citrix ADC that had been known since January but the hospital, unfortunately, had not got around to implementing the fix.
Unfortunately, one patient with a life-threatening illness was diverted to a distant hospital after UKD was deregistered as an emergency care facility. The additional hour’s travel may have been the cause of the patient’s death. On September 18, 2020, German prosecutors launched an official negligent homicide investigation which, if confirmed, would make the patient’s death the first known case of death by hacking.
:|
And are very proud of it. Medical equipment is not all implemented in embedded C systems.
And since modern embedded systems can easily run python or embedded JS versions, well, perhaps certain critical libs can actually get implemented in something that does not deal with memory... and the 5-10% penalty in performance is not going to be something anyone really notes.
It is. A language that lets you write unsafe code is an unsafe language.
> If C is not sufficiently safe for you, you shouldn't take planes, or drive cars, or rely on medical devices, because the software of all these critical embedded system is written in C.
Citation needed. I would expect those programs to be written on a language with very strict types and no pointer arithmetic bullshit, like Ada.
And even if some of these software pieces are written in C, (a) that's very bad, too, and (b) it may be more suitable for those scenarios. But a program that reads and parsers unlimited amounts of user input, supports an ever growing list of complex (and often improperly defined) protocols, and is edited/expanded/updated daily, is definitely not such a suitable scenario.
> The problem is on how you write the software. There are projects that have strict code standard, such as MISRA C or even stricter ones.
Again, the problem is the language, not how you use it. If the security of a piece depends on how it is manipulated, it is by default insecure. A secure language shouldn't let users make mistakes (or at least avoid them to a very high degree, both in compilation and run time). And a library that is the backbone of the confidentiality and privacy of millions of people (and billions of dollars in businesses) should be written on a secure language.
Rust lets you write unsafe code, and as a matter of fact people are using unsafe abundantly.
For something like OpenSSL, it must produce a correct output for every single possible input. Even safety critical software may extremely rarely fail in unusual conditions. For security sensitive software though, all it takes is a single possible input that will trigger a bug, because the attacker is not a random process.
Writing secure software in C is extremely difficult.
We have languages that can provide certain levels of MISRA safety even if you are a novice programmer.Blaming the users for not following the correct guidelines (that barely anyone follows except for the people paid to follow them) completely misses the point.
2. Inline assembly is often a necessary evil to create implementations of crypto libraries in C... not using it would be worse.
3. It's all machine code under the covers. Whether one developer poorly juggles chainsaws or your high-level language poorly juggles chainsaws is not a question of better or worse, but taste.
4. It's X.509. It sucks in every language.
5. Just because it's in C doesn't mean it sucks. There are alternative libraries that intentionally avoid sucky design. (https://nacl.cr.yp.to/internals.html)
6. Show me another language that's as portable and powerful as C, and cryptographers will probably start using it.
Moreover, you come across as an obnoxious, and likely paid astroturfer. Stop telling people to use your silly "safe" software. Who wants to be a part of a community with people like YOU in it?
Mostly, but some details matter.
Make sure that when you do the upgrade, that you are fetching the fixed version. Check for the security announcement and see which version things get fixed in:
* https://www.debian.org/security/
Once the CVE is known, you can also see which versions are vulnerable and which are fixed:
* https://security-tracker.debian.org/tracker/CVE-2020-1971
You may have to restart some services. The checkrestart utility is handy to find these:
* https://packages.debian.org/buster/debian-goodies
* https://packages.debian.org/search?keywords=debian-goodies
[1] https://hacl-star.github.io/HaclValeEverCrypt.html
What would your team need to be able to migrate to a different TLS stack that so far has proven to be safer, and passed its first security audit with flying colors? (https://github.com/ctz/rustls/blob/main/audit/TLS-01-report....)
(I am also currently available on part-time freelance basis, feel free to contact me if you need commercial support on your endeavour to structurally address your TLS security issues.)
Look at gotofail: https://www.imperialviolet.org/2014/02/22/applebug.html
You can find it if you have a generic "suspicious looking code" check. And you can find it if you have a protocol regression test. But do you have a model of TLS that proves incorrect code paths like this don't exist?
https://docs.rs/rustls/0.19.0/rustls/manual/index.html
We try very hard to model our code as a constrained state machine that closely follows the specification.
It included some server states in the client state machine, so if a client sent the server its own "authentication successful" message it… just let them in.
* A TLS client using session resumption may cause a use-after-free.
https://hn.algolia.com/?dateRange=all&page=0&prefix=false&so...
https://hn.algolia.com/?dateRange=all&page=0&prefix=true&sor...
granted, much of the discussion is not about that at this point, though there is a bit: https://news.ycombinator.com/item?id=26547279