The OpenSSL Heartbleed disaster
For two years there was a leak in certain versions of the OpenSSL stack that made it possible to intercept the traffic that was supposed to be encrypted. And even worse, there are rumors that say that this leak made it possible to read the private key of the server. If that is really the case, this security is nothing short of a meltdown of global security. In any case, it is definitively an epidemic failure. The effects of this will continue to ripple through the system for the coming weeks. Brace for more news.
Starting at the times of pbxnsip, security was a focus from the first days when we were working on the PBX. It would have been easy to use OpenSSL; it would also have had the advantage that we can easily FIPS certified. However there were drawbacks with OpenSSL. Our main concern was memory fragmentation because of the way OpenSSL was allocating memory that cannot be moved by garbage collection. Our PBX was designed to run for a very long time, and that has consequences for the memory allocation. Using C-style pointers makes that goal hard to achieve.
As a side effect, we used a buffer class wrapper that was protecting the code from accessing memory outside of the allocated memory for a variable. That was exactly what happened in the Heartbleed bug. If someone sent an index that was out of the boundaries of the memory that was allocated for the request, the OpenSSL code did not properly check if the index is within boundaries and reveal information that was supposed to stay private.
Open source has the advantage that a lot of people can take a look if the code works correctly and there are no backdoors in the code. In this case that did not help. I am afraid that it actually made things worse. It could well be that programmers who found the bug in OpenSSL code did not report the problem; instead they joined the dark side and exploited it. Giving the bad people the source code of such a critical component of the Internet had a disastrous effect. This explains why we had so many news about stolen passwords recently where nobody had a good explanation how this could happen.
I am not even sure if we need to count the people working for NSA and other government agencies around the world as bad guys. If we assume that they knew about the vulnerability for some time, not telling the public about the problem gave them for sure an advantage in accessing information that would otherwise not be accessible. However if that’s the case they accepted the huge collateral damage of others continuing to exploit the vulnerability, which is in my opinion unacceptable.
The main advantage of the Vodia PBX using its own TLS implementation is simply that it is not mainstream. This keeps it relatively safe from epidemic failures. Although we don’t know it, we can assume that that implementation is also not free from errors. But programmers who think about attacking the PBX don’t have the source code to find open doors. Finding out without the code is difficult, and definitively not low-hanging fruit.