What You Need to Know About OpenSSL’s Security Updates

by Brad Garland

The latest round of security fixes to OpenSSL’s software was released on March 19th, and addresses a variety of issues. Here’s what you need to know about the updates:

What’s Included in the Updates?GST_NAT_294-38

The fixes are spread across 12 security patches and address several security flaws that the OpenSSL Foundation — the software's non-profit developers — rates as “high severity.” Only one of those flaws is a recent discovery, with the rest having been at least partially addressed in previous updates.

The software’s development team has also continued to ensure that previous fixes in place for the Heartbleed bug and more recent FREAK flaw remain effective, though most of the actual software updates have been in place for several months already.

Who Do These Updates Affect?

The OpenSSL software has a remarkably high use-rate across the world, due chiefly to its ease of implementation and open-source nature. If you spend any time on the internet, as both a consumer and a business, you’re undoubtedly in frequent contact with OpenSSL, even if you don’t use it for your own website.

Additional high profile users of the software include Facebook, Google, Yahoo, and a significant portion of state and federal government departments.

Why Does It Matter?

In April of 2014, the computer security industry was rocked by the discovery of the Heartbleed bug, a major vulnerability in OpenSSL that could have allowed attackers to break encryption protocols and gain access to secured systems.

After discovery of the Heartbleed bug in OpenSSL’s architecture, experts were shocked at the severity of the flaw, and asked why it had taken so long to detect the problem. In reply, OpenSSL Foundation founder Steve Marquess posted a blog explaining that the team responsible for the software is small, and operating on an even smaller budget. At the time, only four employees were responsible for the entire codebase. As Marquess pointed out, “…the mystery is not that a few overworked volunteers missed this bug; the mystery is why it hasn’t happened more often.”

In response to his call for funding, the Foundation has received increased financial support from within the tech industry, allowing it to more aggressively track down security concerns. It has vowed to put the funding to good use, and seeks to repair any damage to its reputation caused by the events of the last year. This includes the more recently discovered FREAK flaw, which could have allowed encrypted data to be eavesdropped on.

Looking to the Future

Industry experts have largely approved of OpenSSL’s recent efforts, so it appears that the increased funding has improved the situation. You can expect a continued uptick in security updates from the Foundation, so it’s important to develop a good routine for applying those patches to your systems, if you haven’t already. A great way to validate your current security on OpenSSL is a penetration test, which is engineered to analyze your online presence through a thorough review and documentation of all of your institution’s information on the Internet. It characterizes your network and firewall, and identifies potential online security weaknesses.