Apple (NASDAQ:AAPL) earned another feather for its cap last week when it became apparent that iOS and OS X web services were not exposed to the Heartbleed security flaw that affected millions of websites. Over the years, Apple has been criticized for tightly controlling its ecosystem. But this time, it clearly benefited developers and infrastructure managers.
Apple didn't know about the flaw in advance, but it avoided a problem many reputable companies fell victim to, and it did so by being cautious about the lack of controls around open-source updates. Chance favors the prepared.
Heartbleed's vulnerability was from trusting a handshake
Ronald Reagan used the phrase "trust, but verify" when describing foreign policy. That phrase might sum up the issue that recently plagued the open-source community. OpenSSL, is a security protocol that tells your computer and the server what they are connected to. Once the connection is made, they exchange data to make sure the connection is still valid. This extra traffic is known as a heartbeat.
The problem arose from this heartbeat. OpenSSL copies data over an existing array without verifying the length of the packet. Since the server didn't verify that the amount of information being requested matches the size of the request packet, the client can ask for more information than it needs.
To a program, this looks like a mistake, which is probably why it went unnoticed for so long. But it opened the door for hackers to ask for more information than they sent over. For example, if the hacker tells a server that the client sent 10 bits of information, but it actually sent only one, he will get back his one bit of information plus nine other bits of extra data from a prior transaction. The nine other bits of information are random data, but they may contain a password, email address, or bank account number.
Heartbleed has been hidden in OpenSSL for years, but how big a risk it is became apparent only recently. The vulnerability opens the door to hackers tapping huge amounts of data, including passwords, credit card information, addresses, Social Security numbers, etc.
Apple, the benevolent dictator
Apple has been accused of dictating policy to its development community. But sometimes, tight control can be a good thing, even if it can be frustrating. Apple switched to Common Crypto and "depreciated" OpenSSL in 2011 in an effort to avoid application crashes. The concern at the time was version compatibility between apps and OpenSSL libraries. If an update was pushed out unevenly to users of an application, Apple thought that applications could break as a result of the inconsistencies between versions of OpenSSL. The company described it using the following language:
Although OpenSSL is commonly used in the open source community, OpenSSL does not provide a stable API from version to version. For this reason, although OS X provides OpenSSL libraries, the OpenSSL libraries in OS X are deprecated, and OpenSSL has never been provided as part of iOS. Use of the OS X OpenSSL libraries by apps is strongly discouraged .
Bruce Schneier, a data-security expert and veteran in the financial services industry, described it as a catastrophic bug that ranked 11 out of 10 on the threat scale. The problem was widespread and not a security indictment of any one firm, as many prestigious companies have been forced to update their software on the fly to plug the leak.
Besides reminding us that a million eyes looking at the same thing can overlook a problem, it also reminds us of a quote from Only the Paranoid Survive: "Anything that can be done in technology will be done."