Er. before you start to get too smug about open-source security... - The Test Bed

The Test Bed, the latest news on all the hottest products passing through the PCW Labs

Personal Computer World

« Iomega upscales Screenplay | Main | OLPC laptop has split screen »

Er. before you start to get too smug about open-source security...

Open-source security is improving rapidly, according to our colleagues on vnunet.com, but a rather different picture emerges from a report in MIT Technology Review. It says a cock-up two years ago by some coders at Linux house Debian has compromised millions of machines, not to mention some of the web's most important software.

A fix has been produced but the problems caused cannot simply be patched away. New keys have to be generated, certified and distributed,  which takes time.

The coders were using a tool called Valgrind that, ironically, identifies possible vulnerabilities. It spotted what appeared to be a problem in the OpenSSL Library used by software including the Apache web server, the IPsec Virtual Private Network, and SSH remote access software.

Valgrind flagged that the OpenSSL Libray used a block of memory without initialising it to a known state, which is normally considered to be a mistake. But in this case the unknown memory values were used by the library as one of several sources of randomness when generating encryption keys.

The Debian programmers simply commented out the lines implementing the 'mistake'. The effect was to narrow considerably the number of possible keys, rendering the encryption open to attack.

Astonishingly, so-called secure systems have been running with this vulnerability for two years. No-one knows how many machines are affected;, not least because some may not even have been using  the compromised code.

At least it brings a new meaning to the term OpenSSL.

Comments

Post a comment







Type the characters you see in the picture above.


Site credentials: About | Privacy policy | Terms & conditions | Top of the page
© Incisive Media Investments Limited 2010, Published by Incisive Financial Publishing Limited, Haymarket House, 28-29 Haymarket, London SW1Y 4RX, are companies registered in England and Wales with company registration numbers 04252091 & 04252093