In the light of today's OpenSSL vulnerabilities, CVE-2022-3786 and CVE-2022-3602, I think the security industry (and particularly those on Twitter) needs to show a little humility and gratitude towards the developers of OpenSSL, rather than the contempt and cynicism that seems to be playing out in some circles.
It's worth remembering
- This library is one of the most widely deployed cryptographic libraries in the world and has become part of the Internet fabric. In earning that status, it has protected massive amounts of traffic across the Internet, improving security for the entire world since 2012, by helping migrate the world to https.
- This library is made available to the world for free. If you use it and haven’t financially contributed towards its development, but think the OpenSSL team has somehow “let you down”, then you are a fool and a hypocrite.
- If you are complaining that you weren’t part of the advanced warning group and are complaining it's probably because you didn’t need to be. I understand your feelings may have been hurt because you weren’t on the VIP list, but get over it and make yourself more relevant for next time.
- It's true to say that the early days of the project resulted in a stream of vulnerabilities, but that was a different era, with different engineers. OpenSSL is now one of the most heavily audited pieces of code in the world, especially true since HeartBleed (CVE-2014-0160) in 2014. Given that, the level of scrutiny and the relatively low number of vulnerabilities since 2014, is what you should expect from a security conscious project.
- If a Critical vulnerability is downgraded to a High, based on feedback from the advanced disclosure people, that's a good thing. Before you start posting memes about Chicken Little and FacePalm gifs, read the reason it was downgraded and understand that they listened to testers and took action based on their input. You were probably part of the same crew that was talking it up all week.
There is no doubt whatsoever that there are critical flaws (pun intended) with the open source software model and public vulnerability disclosure process, but they pale into insignificance against the positive impact OpenSSL has had on the Internet.
To the OpenSSL team - Chapeau, you are hidden heroes. Email me your addresses, I want to ship you a nice bottle of something to say thanks for all your do.
To the sour security pundits - you should remember that you are living in an ivory tower.
To the ambulance chasers - you should remember that people in glass houses shouldn’t throw stones.