OpenSSL is in big trouble. Heartbleed got a lot of people talking, and some are taking action. The latest security advisories from OpenSSL may not look as bad, but are still sobering nevertheless. We, the professionals in the field of software technology, need to rethink our stance here. Most of us chose indifference, and we allowed ourselves to get caught. Shame on us. We had a lot of warnings. And the vast majority of us, well, we ignored them. We joked, re-tweeted some amusing quotes about the quality of its code, and about the people behind it. And then moved on to our daily jobs, untroubled as to what it really meant. Well, here we are now – our imaginary bubble of privacy and security popped once again (thanks NSA – we haven’t forgotten about you either). However, it’s also an opportunity to pause in order to confront the brutal facts and learn.
Shaking off the Apathy
The warnings started early, and it wasn’t always about the SSL/TLS infrastructure. Remember Conficker? Most of us don’t. And that’s alarming. Unleashed in 2008, it’s still a shark in a swimming pool, albeit a passive one for now. No one knows where it came from (Ukraine?), or what the intent was. At the height of Conficker activity, the most basic aspects of the Internet architecture suddenly looked like a house of cards. Most experts are of the opinion that it’s been trapped in the ever active sinkholes, and that it’s no longer able to call home and communicate with the command-and-control servers. Or so we think. The fact is, various estimates put the number of nodes affected at 12 million or so as of today. And it’s still out there, lurking, waiting. We hope that it’s code base will die of obsolescence, but how long do we have?
Now enter the NSA, and it’s holier than thou attitude, and it’s negligent belligerence that undermined the very products that were supposed to provide us with privacy and security online. We knew that the metaphorical house that we live in stands on a rotten foundation. But we are still working to cram more belongings in there – the Internet of Things, the phones, the tablets, our cars, our medical devices, and who knows what else – it all promises to make our lives easier and more convenient. But for how long are we going to choose convenience above all? The most important lesson here is that it’s time we woke up as professionals, and cast aside the apathy, the indifference and the “it’s not my job” attitude. OpenSSL can be made better as a result, and step by step, our overall interconnected world.
OpenSSL had been in trouble for a long time
OpenSSL had been criticized before, and often. Some even said that “OpenSSL is written by monkeys“. I had some first hand experience with the OpenSSL source code around 2005. I spent a lot of time – days – trying understand how Certificate Revocation Lists are handled. It was a dark place – a trap of #ifdef 0 or if(0) blocks, vague and lengthy functions with names that have no relation to what’s going on, and lots and lots of ‘what were they thinking’ moments. I gave up.
The sad thing is, here we are, almost a decade later, reaping what we sown. And that feels pretty bad. Not only because we got caught in our own complacency, but because the picture was clear for over the decade. And I chose to do nothing.
So, what now?
Action. It’s time to act. There are lots of ideas tossed around, but I hope that all the talk will be followed by action. Some called to abandon OpenSSL altogether, some called for investments, some stating that ‘throwing money at OpenSSL’ won’t solve a thing. There are plenty of false prophets with access to media outlets suggesting ridiculous things, like rewriting OpenSSL in C# or Java. I am looking at you, MIT Technology Review. Clear noisemakers aside, I am not sure who’s right and who’s wrong. Personally, I am no longer sitting on the sidelines. I am getting involved – I am doing static code analysis on my own, hoping one day to provide value. I am also fortunate enough to be employed by a very successful technology company. I am working with my employer to explore options for donating funds to the OpenSSL project. Time will tell what will come of it. If not me, then who? If not now, when?