I usually don’t like writing about outstanding issues in software because by the time I get it up and online, many companies and projects are able to quickly patch and release, thus rendering my bug-spotting quaint and irrelevant.
But today there are a few I am not letting slide. The first one is the “goto bug,” which remains in Mac OS X 10.9. This one is so bad, and so egregious, it has its own fan page. This existed in iOS as well, but was already patched there, showing where Apple’s priorities lie these days.
What is the bug? Well, Apple’s SSL library has one single line that invalidates all the SSL checking in the world: It has a goto statement for successful checks. That means an attacker can very quickly get to that statement, bypassing the actual check. It’s a classic bug type that has a devastating effect. (Sun Microsystems has a similar issue in Solaris for years: Telnet simply returned a “yes” on all login attempts that were formatted in a certain way.)
(UPDATE: Apple has patched goto fail at the bottom with a time stamp.)
Second bug, and this really isn’t so much a bug as a deliberate, evil, and a dangerous attempt at poisoning an IETF standard. There was a lot of worry around this addition to HTTP 2.0, with claims that it allowed for a man-in-the-middle (MitM) attack on secure proxy users. That’s been reduced, somewhat, by the understanding that this vulnerability only exists in connections that could already be MitM’d. But it’s still quite worrisome, as the true problem here is that both sides of the proxy transaction have to be secure, and if one of them opts out in this fashion, the other side can think they are secure, when in fact they are not.
Ah, security. Will it never get any easier? No, of course it won’t. In fact, security is only getting harder, as is evidenced by the fact that this year’s RSA conference is packed to the gills with suits, as it is every year. Even when the economy was in the trash in 2009, the RSA Conference was booming.
Why? Because security is really difficult. At the end of the day, it requires a collaboration between development and operations, just as agile DevOps does. The developers need to keep their code clean and safe, and need to keep the operations team up to date on the surface area their applications will expose. If operations isn’t keeping track of the security updates for that newfangled NoSQL database the developers are using, there could be some major problems very soon.
If there’s nothing else you take away from this week’s security conference in San Francisco, take away this: Your data center is a war zone. Harden accordingly.