February 26th, 2014

What We Should Learn from the Apple SSL Bug

Written by
 

What We Should Learn from the Apple SSL BugTwo years ago, a paper appeared with the provocative title “The Most Dangerous Code in the World.” Its subject? SSL, the foundation for secure e-commerce. The world’s most dangerous software, it turns out, is a technology we all use on a more-or-less daily basis.

The problem the paper described wasn’t an issue with the SSL protocol, which is a solid and mature technology but with the client libraries developers use to start a session. SSL is easy to use but you must be careful to set it up properly. The authors found that many developers aren’t so careful, leaving the protocol open to exploit. Most of these mistakes are elementary, such as not fully validating server certificates and trust chains.

Another dramatic example of the pitfalls of SSL emerged this last weekend as Apple issued a warning about an issue discovered in its own SSL libraries on iOS. The problem seems to come from a spurious goto fail statement that crept into the source code, likely the result of a bad copy/paste. Ironically, fail is exactly what this extra code did. Clients using the library failed to completely validate server certificates, leaving them vulnerable to exploit.

The problem should have been caught in QA; obviously, it wasn’t. The lesson to take away from here is not that Apple is bad — it responded quickly and efficiently the way it should — but that even the best of the best sometimes make mistakes. Security is just hard.

So, if security is too hard and people will always make mistakes, how should we protect ourselves? The answer is to simplify. Complexity is the enemy of good security because complexity masks problems. We need to build our security architectures on basic principles that promote peer-reviewed validation of configuration as well as continuous audit of operation.

Despite this very public failure, it is safe to rely on SSL as a security solution but only if you configure it correctly. SSL is a mature technology and it is unusual for problems to appear in libraries. But this weekend’s events do highlight the uncomfortable line of trust we necessarily draw with third-party code. Obviously, we need to invest our trust carefully. But we also must recognize that bugs happen and the real test is about how effectively we respond when exploits appear and patches become available. Simple architectures work to our favor when the zero-day clock starts ticking.

On Monday at the RSA Conference, CA Technologies announced the general availability of the new Layer 7 SDK for securing mobile transactions. We designed this SDK with one goal: to make API security simpler for mobile developers. We do this by automating the process of authentication and setting up secure connections with API servers. If developers are freed up from tedious security programming, they are less likely to do something wrong — however simple the configuration may appear. In this way, developers can focus on building great apps, instead of worrying about security minutia.

In addition to offering secure authentication and communications, the SDK also provides secure Single Sign-On (SSO) across mobile apps. Use the term “SSO” and most people instinctively picture one browser authenticating across many Web servers. This common use case defined the term. But SSO can also be applied to the client apps on a mobile device. Apps are very independent in iOS and Android, and sharing information between them, such as in an authentication context, is challenging. Our SDK does this automatically and securely, providing a VPN-like experience for apps without the very negative user experience of mobile VPNs.

Let me assure you that this is not yet another opaque, proprietary security solution. Peel back the layers of this onion and you will find a standards-based OAuth and OpenID Connect implementation. We built this solution on top of the Layer 7 Gateway’s underlying PKI system and we leveraged this to provide increased levels of trust.

If you see me in the halls of the RSA Conference, don’t hesitate to stop me and ask for a demo. Or drop by the CA Technologies booth where we can show you this exciting new technology in action.

No Comments »

No comments yet.

RSS feed for comments on this post. TrackBack URL

Leave a comment