Every Linux user must have heard about the recent "news" of vulnerabilities in Linux. Particularly, I'm talking about the "Heartbleed" issue surrounding the implementation of the OpenSSL libraries. To understand the "vulnerability," you first have to understand what the OpenSSL libraries actually do. Here's a brief description from Wikipedia:
OpenSSL is an open-source implementation of the SSL and TLS protocols. The core library, written in the C programming language, implements the basic cryptographic functions and provides various utility functions. Wrappers allowing the use of the OpenSSL library in a variety of computer languages are available.
In a nutshell, OpenSSL helps to keep our communications and transactions over the web safe, on information resources that utilize SSL and TLS security. It helps to keep your identity and passwords secure, between you and the server. Furthermore, it helps to keep your credit card information -- as well as any other sensitive private data -- secure from those who may want to intercept it.
As it turns out, OpenSSL had a "chink" in the armor. A simple programming mistake by one of its maintainers allowed snoops to not only intercept usernames and passwords, but also any sensitive, private data that was shared -- and even the server's SSL and TLS keys!
If you're somewhat confused on what Heartbleed is all about, here's an excellent summary from Wikipedia, from that same article:
OpenSSL versions 1.0.1 through 1.0.1f had a severe memory handling bug in their implementation of the TLS Heartbeat Extension that could be used to reveal up to 64 kilobytes of the application's memory with every heartbeat. By reading the memory of the web server, attackers could access sensitive data, including the server's private key. This could allow attackers to decode earlier eavesdropped communications if the encryption protocol used does not ensure Perfect Forward Secrecy. Knowledge of the private key could also allow an attacker to mount a man-in-the-middle attack against any future communications. The vulnerability might also reveal unencrypted parts of other users' sensitive requests and responses, including session cookies and passwords, which might allow attackers to hijack the identity of another user of the service. At its disclosure, some 17%, or half a million, of the Internet's secure web servers certified by trusted authorities were believed to have been vulnerable to the attack.
More information about the Heartbleed exploit can be found here, here, here, here, and here.
In response, the Linux community, along with other members of the open source community, rallied around OpenSSL. A fix was made in a very short time, and that fix made its way out to users almost immediately. In response, The Linux Foundation started the Core Infrastructure Initiative, aimed at improving global security, enabling outside reviews, and improving responsiveness to patch requests. The founding members of the Core Infrastructure Initiative reads like a "who's who" among tech giants. They are The Linux Foundation, Google, Dell, Amazon Web Services, Cisco, Facebook, Fujitsu, IBM, Intel, Microsoft, NetApp, RackSpace, and VMware. And, the initial focus for the CII group is the OpenSSL Foundation.
Each company has agreed to contribute $100,000 per year, for a minimum of three years, to help fund the work on OpenSSL. Over that three year period, that will amount to $3.6 million. This should go a long way in improving security. The programmer who accidentally introduced the bug into the OpenSSL source code stated that the project is "definitely under-resourced for its wide distribution. It has millions of users, but only very few actually contribute to the project."
Some might argue that it's foolish to just throw money at an open source project. But, without funding, many open source projects wither and die on the vine. Without funding, the necessary resources cannot be allocated to not only the continuation of the project, but almost insuring that the project is unable to meet its goals. With a library such as OpenSSL, there are many using the libraries who profit from the work, and it has become a global de facto standard for helping to provide secure communications and transactions across an ever growing web.
What's so exciting about being a Linux user and an open source software user -- and a PCLinuxOS user, in particular -- is that the vulnerability was patched and upgrades posted to the repos of most Linux distros before the ink had dried on the headlines. There was no waiting a month or more for a "Patch Tuesday" to address the issue. Nope. Quickly and quietly, without many users even realizing it, the vulnerability was addressed and closed.
No operating system can be 100% bullet proof. That includes Linux. But you have to admit that Linux is far less vulnerable than any commercially available operating system. Thanks to its open source architecture,
The "takeaway" from all of this is at least two fold. First, it's important that open source projects receive the necessary funding to continue to meet their goals, especially when the use of that open source project has reached widespread use. Second, it illustrates perfectly the speed at which the open source community can respond to threats, given the fact that the source code is open and free to view, by anyone who wants to view it, and they may freely contribute to such projects. With "many eyes" able to view the source code, as opposed to only a few eyes of a privileged few, bugs and vulnerabilities can be more addressed more quickly, and the community at large can prevent the exploitation of other users by those with ulterior and cynical motives.
Rest assured, both the main PCLinuxOS website and The PCLinuxOS Magazine website are safe and free of the Heartbleed vulnerability. So, until next month, I bid you peace, happiness, serenity and prosperity.