Evolution of OpenSSL Security After Heartbleed
OpenSSL has evolved a great deal in terms of security since the disclosure of the Heartbleed vulnerability back in 2014.
OpenSSL, an open source library that implements the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols, is widely used by organizations to protect communications.
In April 2014, the world learned that OpenSSL was affected by a critical vulnerability, dubbed Heartbleed and tracked as CVE-2014-0160, that could be exploited to steal potentially sensitive information from supposedly protected communications without leaving a trace.
“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software,” the researchers who discovered Heartbleed wrote on a website dedicated to the vulnerability. “This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.”
There have been some reports of attacks exploiting Heartbleed following its disclosure, and it has even been claimed that the NSA had known about the vulnerability prior to its disclosure and leveraged it to gather critical intelligence, a claim that the agency denied.
The discovery and disclosure of the Heartbleed vulnerability represented a turning point for OpenSSL.
Following the disclosure and patching of Heartbleed in April 2014, the cybersecurity community and the tech industry turned their attention to the open source project and things started to change. The project received significant funding and more people became involved in its development.
While nearly a dozen critical and high-severity vulnerabilities were found in OpenSSL between the disclosure of Heartbleed and the end of 2016, in 2017 there was only one high-severity flaw identified, and in 2018 and 2019 most of the patched weaknesses were low-severity, with the remaining rated medium.
Matt Caswell, a member of the OpenSSL Management Committee, told SecurityWeek that there was a major reorganization of the project following the disclosure of Heartbleed.
“Prior to that time we only really had a couple of people making regular commits on the project and no one who was exclusively focused on supporting it full time. Due to the lack of resources it was very difficult for the community to engage with the project and get their patches incorporated,” Caswell explained. “One of the first things we did [as part of the reorganization] was recruit new people into the project and we deliberately set about building a community.”
There are currently two people who work full-time on the OpenSSL code, which does not include individuals who are assigned by their organization to work on the project. There are also a total of 16 individuals on the committer team and many more in the broader community who contribute patches.
According to Caswell, 30 OpenSSL contributors made 469 commits to the master branch in 2013, which was the last full year before the disclosure of Heartbleed. In comparison, in 2019, roughly 150 authors made over 1,800 commits.
“This broader community engagement means we really do have many more eyes on the code and a much healthier project,” Caswell said.
In the aftermath of Heartbleed, the OpenSSL Project also started focusing on code quality and introduced a mandatory code review process for all commits, ensuring that every line of code is verified by at least two experienced developers before being accepted.
Other steps taken in the past years in an effort to improve security included multiple external audits of the codebase, significant additions to the built-in test framework, integrated fuzz testing, regular static analysis of the codebase, and integration into Travis and AppVeyor to ensure that all pull requests are continuously tested.
“With the added community engagement that we have had, it has freed us up to be able to rewrite significant portions of the library that were in need of update,” Caswell said. “For example over recent years the SSL/TLS state machine has been completely rewritten, and we have a brand new, high quality, random number generation component.”
Caswell noted that the higher number of serious vulnerabilities patched in 2015 and 2016 was a result of security researchers being increasingly interested in the project following the discovery of Heartbleed.
While the project continues to see engagement from the research community, the number of vulnerabilities found in OpenSSL in the past two years has decreased significantly, which Caswell believes is a result of OpenSSL becoming more secure.
In fact, one of the two groups awarded the Levchin prize for Real World Cryptography in 2018 was the OpenSSL team, recognized for the “dramatic improvements to the code quality of OpenSSL.”
The OpenSSL Project received funding from various sources following the discovery of Heartbleed, including the Linux Foundation’s Core Infrastructure Initiative (CII). However, Caswell says nearly all of that initial funding has now ended and they continue to seek organizations that are willing to support the project in the future.
“Getting a stable long term financial position for the project continues to be a challenge for us. We have a number of organisations that contribute staff time to the project and a number who have sponsored our current FIPS project,” he said. “We are hugely grateful to all of those organisations that have contributed in this way.”
OpenSSL is also covered by the HackerOne-hosted Internet Bug Bounty, through which researchers who found vulnerabilities in the code have earned rewards totaling over $31,000.