Linux Foundation adds more Internet protocols to its protection list

Core Infrastructure Initiative picks three projects to get funding, full-time staff: OpenSSL, OpenSSH, Network Time Protocol

It was easy enough to cry havoc or wring one's hands when the OpenSSL vulnerability Heartbleed came along. It was harder to actually do something about the problems of protecting critical pieces of Internet infrastructure. But the Linux Foundation decided a more holistic effort would be worth it, so it rallied together various parties to create the CII (Core Infrastructure Initiative).

Now the CII has selected which protocols will be the first in line to receive the foundation's time and effort. OpenSSL is on the list, as are two other projects with their own histories of issues: OpenSSH and NTP (Network Time Protocol).

First is OpenSSL, which will be receiving funding to support two full-time core developers. A separate initiative -- the Open Crypto Audit Project, best known for its auditing of TrueCrypt's source code -- will receive CII funds to perform its own audit of OpenSSL's code.

Then there's OpenSSH, a widely used utility for making secure command-line connections to servers and appliances that run some manner of Unix-like OS. Administrators rely on it routinely, making it a target for attacks like credential-stealing malware. Word of security issues within OpenSSH itself have turned up over time, some legit and some not. All this means some degree of investment in OpenSSH's protection is worth the effort, since it constitutes protecting a standard point of ingress.

The third project on the roster, NTP, is a dark horse because its security issues remained relatively unexploited until recently. A method known as "NTP reflection" was recently used to launch a DDoS attack on content delivery network CloudFlare, and again, the breadth of use for NTP makes it a prime choice for attackers.

Details about what will happen with OpenSSH and NTP are still sketchy, but according to a Linux Foundation spokesperson, both "will be receiving support for developers as well as infrastructure support."

Another project that seems like a strong fit for CII's efforts is an aging Internet protocol that has been implicated in a number of incidents that could either be attacks or misconfigurations: the border gateway protocol (BGP). Problems with the BGP have surfaced from time to time, most recently in a massive rerouting of Internet traffic through hosts in Belarus and Iceland. At least one existing proposal has been drafted to address BGP security, so perhaps the rising tide of CII's work will help lift that particular boat too.

This story, "Linux Foundation adds more Internet protocols to its protection list," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.

Copyright © 2014 IDG Communications, Inc.