is a well-advanced project
developing a free implementation of the Secure Socket Layer and Transport
Layer Security protocols. The OpenSSL code can be used in many contexts,
but the most prominent use is almost certainly in web servers which need to
offer the "https" protocol. When you (hint...) type your credit card
number at LWN.net, the OpenSSL code ensures that said number cannot be
captured by eavesdroppers lurking between your browser and our server.
OpenSSL is, in other words, a critical part of the net's infrastructure.
The central role played by OpenSSL makes any security vulnerabilities in
that package especially frightening. The software is widely deployed and
exposed directly to the net, so holes can open up large numbers of systems
to compromise. Sites using OpenSSL are also relatively likely to have
something worth protecting, and are thus also relatively likely to be
targets for certain types of crackers.
One would thus think that administrators of sites running OpenSSL would
tend to stay current
on their security updates. According to a
survey run by Netcraft, however, one would be wrong. Netcraft looked
at the advertised OpenSSL versions running on just over 50,000 web sites.
Fully half of those sites were running version 0.9.6d (or earlier), which
has vulnerabilities that are fully exploitable by a remote attacker. Only
1,356 out of 50,891 sites were running versions 0.9.6k or 0.9.7c, which
were, at the time, free of known vulnerabilities (a vulnerability
has since been found which can lead to crashes on Windows platforms).
OpenSSL users, it would seem, have not been keeping up with their patches.
As Netcraft acknowledges, the above results are overly pessimistic.
Security updates provided by distributors usually just backport the fix for
the specific problem(s) to the (older) version of the software that was
originally included in the distribution. So numerous sites which appear
(to the outside) to be running vulnerable software are, in fact, up to
date. Netcraft could have improved its numbers by seeing if an actual
exploit worked on each system tested, but that approach to data collection
has practical problems of its own.
The bottom line, however, is that there are certainly many vulnerable sites
out there. The fact that widespread exploits have not happened suggests
that the net is not quite as scary a place as it is sometimes made out to
be. But, sooner or later, an opening of this magnitude will certainly be
exploited. Whether it is used for some sort of unpleasant worm or for a
credit card scam doesn't really matter. Either way, it will impair the
trust in Linux, Apache, and network commerce in general. And it is
If you have systems running older versions of OpenSSL, it is past time to
update them. The LWN
vulnerability entry will point you at the relevant distributor
to post comments)