[Cryptography] Fwd: OPENSSL FREAK

[dan at geer.org]

 | Yes, the Internet of Things as it's being called is scary as hell
 | because you know that software will not be updated in any organized
 | way - especially when the company that sold the "thing" is out of
 | business or loses a patent lawsuit or something.  Or somebody
 | who makes a business model of "give away the thing, charge for the
 | updates" is going to have a bunch of customers are perfectly happy
 | with the way their toaster or thermostat or doorbell or whatever
 | works now and don't want to pay for a software update for it,
 | or whatever.
 | 
 | In the absence of timely, reliable upgrades, there really does
 | need to be some kind of "kill switch" to shut down discovered
 | vulnerable configuration options, or those "things" will become
 | the gateway for crooks to get into the rest of the owner's
 | network.


I'll bite.  We don't need a kill-switch but we do need a keep-alive.
In other words (and as usual), it is all about the defaults.

--dan



http://geer.tinho.net/geer.m3aawg.22x14.txt

Shared Risk and What to Do about It
Messaging, Malware and Mobile Anti-Abuse Working Group
Boston, Massachusetts, October 22, 2014

<snip>

So perhaps mandating pre-deployed fallbacks is a bad idea entirely.
Perhaps what is needed is a way to reach out and upgrade the endpoints
when the time of necessity comes.  But today, or real soon now,
most of the places needing a remote management interface through
which you can remotely upgrade the endpoints are embedded hardware.
So let me ask a question, should or should not an embedded system
be required to have a remote management interface?  If it does not,
then a late discovered flaw cannot be fixed without visiting all
the embedded systems -- which is likely to be infeasible because
some you will be unable to find, some will be where you cannot again
go, and there will be too many of them in any case.  If it does
have a remote management interface, the opponent of skill will focus
on that and, once a break is achieved, will use those self-same
management functions to ensure that not only does he retain control
over the long interval but, as well, you will be unlikely to know
that he is there.

Perhaps what is needed is for embedded systems to be more like
humans, and I most assuredly do not mean artificially intelligent.
By "more like humans" I mean this: Embedded systems, if having no
remote management interface and thus out of reach, are a life form
and as the purpose of life is to end, an embedded system without a
remote management interface must be so designed as to be certain
to die no later than some fixed time.  Conversely, an embedded
system with a remote management interface must be sufficiently
self-protecting that it is capable of refusing a command.  Inevitable
death and purposive resistance are two aspects of the human condition
we need to replicate, not somehow imagine that to overcome them is
to improve the future.

<snip>