OpenSSL, arguably the world's most important Web security library with its support for Secure Sockets Layer (SSL) and Transport Layer Security (TLS) in such popular Web servers as Apache and Nginx, has had real trouble. First, there was HeartBleed and more recently there is FREAK. It's been one serious security problem after another. Now, the NCC Group, a well-regarded security company, will be auditing OpenSSL's code to catch errors before they appear in the wild.
This is being paid for by the Linux Foundation's Core Infrastructure Initiative (CII). The CII was set up to pay for essential, but woefully underfunded, open-source projects such as OpenSSL, the Network Time Protocol (NTP), and OpenSSH.
Thomas Ritter, a principal security engineer at NCC, told me in an e-mail that, "We're excited to announce that as part of the Linux Foundation's Core Infrastructure Initiative, and organized by the Open Crypto Audit Project, Cryptography Services will be conducting an audit of OpenSSL. This is an amazing opportunity to dive deeply into one of the pieces of software that so much of the world relies on, and we're honored to have been chosen to conduct it."
It's long been known that the OpenSSL code would be audited but there have been no details. In short, no one had answered the question, "Who was going to bell the cat?" Now we know.
Ritter said that, given the efforts OpenSSL has been making to reformat the code, "We finally feel the codebase is stable enough to announce and undertake this now. OpenSSL has been reviewed and improved by the Academic community, commercial static analyzer companies, and validation organizations, and individual review over the years, but this audit may be the largest effort to review it, and is definitely the most public."
Specifically, NCC will be primarily focusing on the TLS stacks, covering protocol flow, state transitions, and memory management. The group will also be looking at the BIOs, most of the high-profile cryptographic algorithms, and setting up fuzzers for the ASN.1 and x509 parsers.
Ritter concluded, "While the audit won't cover every single corner of the codebase, we believe it will be a useful component of the broader efforts being undertaken to improve OpenSSL's engineering and security. This is a fairly large audit, so we expect the preliminary results to start coming out towards the beginning of the summer after we coordinate with the OpenSSL team."
Given how important OpenSSL is to the internet, and how many major security bugs have shown up in the wild, this audit and the resulting code improvements can't come soon enough.
- FREAK: Another day, another serious SSL security hole
- Mission: Funding all those small but important open-source projects
- Google reveals major flaw in outdated, but widely-used SSL protocol
- Cash, the Core Infrastructure Initiative, and open source projects
- Heartbleed: Serious OpenSSL zero day vulnerability revealed