Thursday, March 6, 2014

Is Linux SSL/TLS Flaw an NSA Backdoor?

A code audit conducted by Red Hat in February uncovered a critical bug in the SSL/TLS security implementation in Linux (Secure Socket Layer/Transport Layer Security). This followed a similar bug found in Apple products last month.

The flaw allows an attacker to gain access the SSL/TLS stack which encrypts data being transferred between two points on a network (like the Internet) through a fraudulent security certificate. SSL is used for everything from securing your banking transactions to protecting your email and chats.

The bug effects not only Red Hat but most every Linux distribution and has been in place for a decade or more. The amount of software which uses this protocol and may have to be updated could be staggering.

TLS is an updated form of SSL and uses a protocol developed by the IETF (Internet Engineering Task Force), which was developed in 1999 and updated in 2008 and 2011. (Interestingly, a Snowden leaked documents from 2012 show the NSA had recently added Apple users to it's list of compromised systems.)

Chrome and Firefox users are safe from this bug as they use OpenSSL, which is not affected by this vulnerability.

How could such a gaping hole go so long without being discovered in Open Source software? Don't 'many eyes make all bugs shallow?'

According this article in PCWorld, to David Walser, a security manager for Mageia Linux, explained,
“The code is extremely complicated. Even though the code is freely available for review, only a select group of people would be qualified to accurately analyze and understand the whole system well enough to catch such a subtle bug. It’s also not the type of vulnerability that can be found by automated analysis tools, requiring manual scrutiny instead."
In September of 2013, Linus Torvalds caused a stir in the Linux community when he indicated, through a nod of the head, that the NSA had requested a back door into Linux systems.

Following news of the hint, Linus is reported to have said he was joking. Was this retraction due to the Linux community not getting the joke or was it due to legal advice? Linus is not known for his sense of humor. Rather, he is known for being honestly blunt, sometimes a bit too blunt.

The question has hung in the air ever since: Is there a backdoor in Linux?  And is this SSL/TLS vulnerablity an NSA backdoor?

The FBI has been obsessed with breaking encryption for more than a decade. Leaked documents by Edward Snowden have shown the NSA went to great lengths to access encrypted data. From pressuring companies to install government accessible back doors or provide encryption keys or stealing keys from those who did not cooperate. According to the NY Times:
"The N.S.A. hacked into target computers to snare messages before they were encrypted. In some cases, companies say they were coerced by the government into handing over their master encryption keys or building in a back door. And the agency used its influence as the world’s most experienced code maker to covertly introduce weaknesses into the encryption standards followed by hardware and software developers around the world."
There was also a purported back-door in the OpenBSD operating system, which was disclosed on a mailing list in December of 2010. The writer stated that his non-disclosure agreement had recently expired and he wanted everyone to know that security holes had been intentionally placed in the system:
"My NDA with the FBI has recently expired, and I wanted to make you aware of the fact that the FBI implemented a number of backdoors and side channel key leaking mechanisms into the OCF, for the express purpose of monitoring the site to site VPN encryption system implemented by EOUSA, the parent organization to the FBI."
No known back door was found in FreeBSD when this was reported. But the time frame and data targeted fits with the decade old flaw recently disclosed in Linux systems.

We don't know if this huge security flaw was intentionally placed in Linux systems or it was a coding error. No one can say how it got there. But no one can dispute that it has existed unnoticed for a very long time.

A patch for the bug has been rolled out and is available for most Linux distributions. Update your system now.

Thank you to Red Hat for finding and disclosing this bug. This shows without a doubt that open code does not guarantee security. And automated tools for finding flaws is no substitute for trained eyes.

The days of "Many eyes make all bugs shallow" may be true for actual bugs, but what of intentional vulnerabilities which have been carefully obfuscated or a small but profound mistake in millions of lines of code? Perhaps the adage needs to be changed to reflect the level of complexity in today's code: "Qualified eyes make all bugs shallow."