Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Audits

Evolution of OpenSSL Security After Heartbleed

Evolution of OpenSSL security

OpenSSL has evolved a great deal in terms of security since the disclosure of the Heartbleed vulnerability back in 2014.

Evolution of OpenSSL security

OpenSSL has evolved a great deal in terms of security since the disclosure of the Heartbleed vulnerability back in 2014.

OpenSSL, an open source library that implements the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols, is widely used by organizations to protect communications.

In April 2014, the world learned that OpenSSL was affected by a critical vulnerability, dubbed Heartbleed and tracked as CVE-2014-0160, that could be exploited to steal potentially sensitive information from supposedly protected communications without leaving a trace.

“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software,” the researchers who discovered Heartbleed wrote on a website dedicated to the vulnerability. “This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.”

There have been some reports of attacks exploiting Heartbleed following its disclosure, and it has even been claimed that the NSA had known about the vulnerability prior to its disclosure and leveraged it to gather critical intelligence, a claim that the agency denied.

The discovery and disclosure of the Heartbleed vulnerability represented a turning point for OpenSSL.

Following the disclosure and patching of Heartbleed in April 2014, the cybersecurity community and the tech industry turned their attention to the open source project and things started to change. The project received significant funding and more people became involved in its development.

While nearly a dozen critical and high-severity vulnerabilities were found in OpenSSL between the disclosure of Heartbleed and the end of 2016, in 2017 there was only one high-severity flaw identified, and in 2018 and 2019 most of the patched weaknesses were low-severity, with the remaining rated medium.

Advertisement. Scroll to continue reading.

Matt Caswell, a member of the OpenSSL Management Committee, told SecurityWeek that there was a major reorganization of the project following the disclosure of Heartbleed.

“Prior to that time we only really had a couple of people making regular commits on the project and no one who was exclusively focused on supporting it full time. Due to the lack of resources it was very difficult for the community to engage with the project and get their patches incorporated,” Caswell explained. “One of the first things we did [as part of the reorganization] was recruit new people into the project and we deliberately set about building a community.”

There are currently two people who work full-time on the OpenSSL code, which does not include individuals who are assigned by their organization to work on the project. There are also a total of 16 individuals on the committer team and many more in the broader community who contribute patches.

According to Caswell, 30 OpenSSL contributors made 469 commits to the master branch in 2013, which was the last full year before the disclosure of Heartbleed. In comparison, in 2019, roughly 150 authors made over 1,800 commits.

“This broader community engagement means we really do have many more eyes on the code and a much healthier project,” Caswell said.

In the aftermath of Heartbleed, the OpenSSL Project also started focusing on code quality and introduced a mandatory code review process for all commits, ensuring that every line of code is verified by at least two experienced developers before being accepted.

Other steps taken in the past years in an effort to improve security included multiple external audits of the codebase, significant additions to the built-in test framework, integrated fuzz testing, regular static analysis of the codebase, and integration into Travis and AppVeyor to ensure that all pull requests are continuously tested.

“With the added community engagement that we have had, it has freed us up to be able to rewrite significant portions of the library that were in need of update,” Caswell said. “For example over recent years the SSL/TLS state machine has been completely rewritten, and we have a brand new, high quality, random number generation component.”

Caswell noted that the higher number of serious vulnerabilities patched in 2015 and 2016 was a result of security researchers being increasingly interested in the project following the discovery of Heartbleed.

While the project continues to see engagement from the research community, the number of vulnerabilities found in OpenSSL in the past two years has decreased significantly, which Caswell believes is a result of OpenSSL becoming more secure.

In fact, one of the two groups awarded the Levchin prize for Real World Cryptography in 2018 was the OpenSSL team, recognized for the “dramatic improvements to the code quality of OpenSSL.”

The OpenSSL Project received funding from various sources following the discovery of Heartbleed, including the Linux Foundation’s Core Infrastructure Initiative (CII). However, Caswell says nearly all of that initial funding has now ended and they continue to seek organizations that are willing to support the project in the future.

“Getting a stable long term financial position for the project continues to be a challenge for us. We have a number of organisations that contribute staff time to the project and a number who have sponsored our current FIPS project,” he said. “We are hugely grateful to all of those organisations that have contributed in this way.”

OpenSSL is also covered by the HackerOne-hosted Internet Bug Bounty, through which researchers who found vulnerabilities in the code have earned rewards totaling over $31,000.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...