(E) If Microsoft software has a vulnerability either in one of its application such as Internet Explorer or Office or in its Windows operating system – no problem – just switch to another application such as Firefox or OpenOffice or use Mac O/S or Linux. But if one of the widely used open source network protocols or operating systems in many commercial products has a vulnerability. You cannot switch. That the lesson (and certainly not the last one) that we are learning with the Heartbleed bug in OpenSSL. The reason why open source software is so much used by vendors is that obviously, it enables them to avoid re-inventing the wheel or just focusing on adding value to an existing and popular piece of infrastructure software. SSL is now a 20 years old protocol (created by Netscape and standardized as TLS by the IETF), and OpenSSL is a widely used implementation of SSL/TLS. I used it in one of my security products 10 years ago. No one wants to redevelop existing product stacks and in the case of SSL or another security protocol, no one wants to redevelop in particular the crypto part of the stack. Open source software is not necessarily less secure than commercial software, but commercial vendors have definitely a strong interest in developing secure code for their customers and ensuring proper quality assurance methods. But now, we know that open source software developers should probably do the same.

References

• Heartbleed on Wikipedia
• Codenomicon: The Heartbleed Bug

Electronic Frontier Foundation

• Open Source Security AuditGuidelines for Securing Open Source Software
• Fedor Indutny: Getting the encryption keys from exploiting Heartbleed

Note: The picture above is the Heartbleed logo from Codenomicon.

Copyright © 2005-2014 by Serge-Paul Carrasco. All rights reserved.
Contact Us: asvinsider at gmail dot com.