Many people have pointed out heartbleed (See heartbleed.com) as a reason for there to be more extensive code audit of this core piece of software. I however see another thing we should consider doing. Personal computers should be able to easily update all programs on them that could be affected and have easy ways to update said libraries or code.
The catch is, this exists on the server world. We have many many ways to audit servers and defend against these problems and to update quickly when an exploit is found. The user side however is a slightly different story. Many people forget that heart break is not just a server side exploit but is a problem with the core openssl library. That means any tools that use an affected version or even possibly web browsers if they use openssl could be vulnerable. However with the exception of Linux distress (such as Debian), there is no easy way to keep all our applications up to date.
One may point to the OS X App Store or the Windows Store introduced in Windows 8, but this is not sufficient. Both are more concerned with verifying the creator than allowing open usage. Why are many open source apps not on the app stores? Because the terms on the app stores violate the GPL license terms explicitly. Not only that but it often costs to get keys to develop on a system. This goes against the idea of open source software. It limits the ease at which developers can switch off and contribute builds, etc. Instead Apple and Windows needs to reach out to open source developers to make it easier for open source software to appear in their given stores.
So in closing, while heartbleed is being patched on servers and everyone rushes to expand auditing of OpenSSL, please think about better software tracking and updating to help prevent similar browser-side exploits from having an extended attack surface.
Wednesday, April 9, 2014
Subscribe to:
Posts (Atom)
Posts
