Q
Problem solve Get help with specific problems with your technologies, process and projects.

Can open source cryptography libraries be trusted?

After the Heartbleed fiasco, the future of OpenSSL and open source cryptography libraries is up in the air. Application Security Expert Michael Cobb discusses whether they can -- and should -- be trusted.

After the whole Heartbleed fiasco, the question has to be asked: Can OpenSSL ever be considered secure again? Should...

we be more wary of applications that use it? Would it be advisable -- where possible -- to move to something like LibreSSL?

OpenSSL is widely used by millions of servers and organizations both large and small around the world, and it is one of the two main established cryptography libraries (Windows Crypto library being the other).

However, the Heartbleed flaw has shaken confidence in this open source software. More than half a million SSL certificates have been potentially compromised as a result of the Heartbleed vulnerability. The exploitation of this bug does not leave any trace of anything abnormal occurring in server logs, making vulnerable versions of OpenSSL an attractive target for hackers. Enterprises with affected certificates should check with their certificate authority about how compromised keys can be revoked and new certificates reissued. Those who issue self-signed certificates should revoke and reissue them as soon as they have upgraded their OpenSSL software.

Over the long term, enterprises need to assess whether using an alternative cryptography library is the best way forward or not. Very few organizations are likely to have the in-house skills necessary to develop their own cryptography libraries, but using any third-party library -- open source or proprietary -- means relying on others to correctly implement and deliver security. Many times, open source cryptography software relies heavily on part-time volunteers who have full-time day jobs -- people the HR department is never going to meet or vet. Despite this, the open source model has proven to be the best approach for developing robust cryptographic code. For example, the OpenSSL Foundation reacted to news of the flaw by promptly providing a fix, whereas software vendors often drag their feet.

But, as everyone now knows, open source projects need to be properly funded and have a large active development community, otherwise coding errors and vulnerabilities remain unnoticed -- the same as in any poorly resourced or developed commercial software. OpenSSL has suffered from a lack of funding and code contributions; this is the reason that OpenBSD Founder Theo de Raadt has started a fork of OpenSSL as a potential replacement. LibreSSL is supported financially by the OpenBSD Foundation and the OpenBSD Project, and it is part of the very active OpenBSD developer community, which has a clear policy about how contributions are evaluated and included, as well as a reliable regime in place to handle errors or problems. LibreSSL is initially being developed for the OpenBSD operating system -- its first inclusion will be in OpenBSD 5.6 -- but will support multiple operating systems once the code and a stable commitment of further funding are in place.

Although LibreSSL may become the de facto library used to implement SSL/TLS services, enterprises must understand that they can't rely on someone else's assurances that software securing key data is safe. Security teams need to conduct their own due diligence and test to ensure the code or component is secure against the most common and pertinent threats their infrastructure faces. Bugs in software are a fact of life, so enterprises that make use of open source libraries should strongly consider contributing to the projects that maintain them, as there is a direct correlation between the speeds with which new or existing vulnerabilities are discovered or prevented, and the quality of technical resources devoted to the project. Also, taking time to do this would be a lot cheaper than funding an in-house team of cryptographers or recovering from vulnerabilities such as Heartbleed.

Ask the Expert!
Want to ask Michael Cobb a question about application security? Submit your questions now via email! (All questions are anonymous.)

This was last published in October 2014

Dig Deeper on VPN security

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

3 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

i would like you to give me any test on topic
Cancel
You should always be wary of all cryptography software - it's where you'd expect spies to go to insert trapdoors.

You can only trust open source though. Closed source is spyware and you're simply irresponsible if you take the word of a company that gives you binaries.

A lot more work should be done to make open source cryptography easier to use, easier to understand and, thus, easier to prove secure.

Nobody should ever use closed source unless the data doesn't matter.

No source code, no security.
Cancel
In my opinion because of the nature of open source, I would use with caution. Even if it was from a trusted source. There are no guarantees that it has not been tampered with.

Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

  • CIO Trends #6: Nordics

    In this e-guide, read how the High North and Baltic Sea collaboration is about to undergo a serious and redefining makeover to ...

  • CIO Trends #6: Middle East

    In this e-guide we look at the role of information technology as the Arabian Gulf commits billions of dollars to building more ...

  • CIO Trends #6: Benelux

    In this e-guide, read about the Netherlands' coalition government's four year plan which includes the term 'cyber' no fewer than ...

Close