The new OpenSSL flaw is no Heartbleed

Yes, another flaw has been discovered in OpenSSL, but it's nowhere near the severity or scale of Heartbleed

Another vulnerability in OpenSSL has been revealed. It's a somewhat interesting one, and though it has been around for about a decade until being discovered last month and made public last week, it's not nearly as significant as Heartbleed. Of course, you wouldn't know that from reading articles titled "Heartbleed Redux: Another Gaping Wound in Web Encryption Uncovered." Note that the URL says "SSL," not "Web Encryption." Both are wrong.

Meanwhile, the Guardian chimes in with "Latest OpenSSL bug 'may be more dangerous than Heartbleed'." Lions and tigers and bears, oh my!

[ Also on InfoWorld: 3 big lessons to learn from Heartbleed | The Heartbleed recovery starts with you and me | Pick up expert networking how-to advice from InfoWorld's Networking Deep Dive PDF special report and Technology: Networking newsletter. ]

This is an OpenSSL-only vulnerability, not a vulnerability in "Web encryption" or SSL. If you dig into this vulnerability, you'll quickly arrive at a few key points.

First, this is a man-in-the-middle attack, meaning that for a secure communications channel to become compromised, the attacker would have to be in a position to intercept and modify traffic between two hosts. Those hosts would both have to be running vulnerable versions of OpenSSL as well. This eliminates most Web browsers from the discussion, as they mostly use other SSL implementations. There are certainly affected hosts running as servers and clients, but those clients will be smaller in number, and again, the pathways and access that would be necessary to exploit this flaw in the wild are very limited at best.

As the hand-wringing Wired article points out later on, this is a much bigger deal for VPN connections. Many VPN solutions use OpenSSL, such as OpenVPN, and vulnerabilities in these solutions are a serious matter. Luckily, this flaw can be addressed by updating the OpenSSL version to the latest version in your branch and restarting the VPN connection. Even if the remote endpoint remains unpatched, if the VPN terminating server has been patched, this connection will not be vulnerable.

This new flaw is significantly different from Heartbleed in a number of ways. This attack requires a two-party conversation to start while the attacker is in the right position to play fast and loose with the keys for a single conversation between one host and another. Patching even one side fixes this hole.

On the other hand, Heartbleed could allow an attacker to gain access to the private keys securing a vulnerable website and decrypt all kinds of traffic and conversations. It could give the keys away. Thus, Heartbleed caused a massive amount of rekeying to take place beyond simply patching the hole in the first place. On the pain scale, this vulnerability is maybe a two, whereas Heartbleed is a 10.

Six weeks ago, in the aftermath of the Heartbleed fiasco, I opined on why Heartbleed may have happened, lamented the dearth of attention and funding that was devoted to such a massively critical infrastructure component, and suggested that software vendors and other companies that have long relied on OpenSSL should send some resources its way. It's only security on the Internet, after all.

Luckily, a month later, that's exactly what happened. OpenSSL will be getting two more dedicated developers, more funding, and a full security audit. What a groundbreaking idea!

The fact of the matter is that without the likes of Heartbleed, OpenSSL would have continued to limp along with nowhere near enough resources to take care of itself and provide for the proper maintenance of a software package that is critical to Internet security. Eventually another major bug -- perhaps worse than Heartbleed -- would have appeared and we'd be in a tizzy over that. As it turned out, Heartbleed was the shot across the bow that we needed: truly frightening, but without too much actual damage having been done.

The parts of OpenSSL that were broken are getting fixed. Much of what was broken was due to lack of attention and resources. The project is now getting the attention it has long deserved, and the funds and resources to back that up. In the wake of these major events, perhaps it's best to shelve the hyperbole and focus on the facts.

But hey, if it bleeds, it leads, right?

This story, "The new OpenSSL flaw is no Heartbleed," was originally published at InfoWorld.com. Read more of Paul Venezia's The Deep End blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Join the discussion
Be the first to comment on this article. Our Commenting Policies