Semiconductor business menu
Semiconductor business
HOME
Macnica 's
Products & Services
Technical Information
event·
seminar
Handling Manufacturer
Support

Narrow down by specifying conditions

現在1888件がヒットしています。check

New article
foundation
design
product pick up
Moving away from OpenSource/OpenSSL
Basic system/subsystem software

Moving away from OpenSSL

Macnica Techster Company offers products that allow you to use SSL/TLS with peace of mind.

If you're considering replacing it, it's Mocana's SSL/TLS.

No need to change your code (provided by Wrapper layer/Connector covering OpenSSL API).

High performance, small footprint, secure coding, GPL free, and backed by security experts.

We also have solutions that cover the entire system.

Mocana: https://www.mocana.com/

Risks of using OpenSource/OpenSSL

OpenSSL vulnerability

Recently, I think that more and more companies are concerned about the use of OpenSource due to the GPL license and GDPR.

The news that OpenSSL, the subject of this section, was vulnerable was widely spread a few years ago by Heart bleed.

* Currently, if you search for Heart bleed as a keyword, you can find detailed explanations on many sites.

Malicious code can be remotely executed against millions of web clients and servers, as well as devices using OpenSSL-based protocols.

However, this is not the first public disclosure regarding an OpenSSL vulnerability.

Here is a list of known vulnerabilities published by the OpenSSL project.

Among them are RSA PKCS #1 v1.5/Common Name Null termination attacks/various DoS attacks/FIPS module corruption/memory leaks other than Headbleed.

脆弱性:https://www.openssl.org/news/vulnerabilities.html


Also, in Japan, IPA (Information-technology Information-technology Promotion Agency, Japan) has issued a warning, which I think will be useful.

IPA:https://www.ipa.go.jp/security/vuln/documents/2009/200909_openssl.htmlhttps://www.ipa.go.jp/files/000028335.pdf


More OpenSSL security vulnerabilities may be discovered in the future. Even during Heart bleed, a new vulnerability was revealed just two months later.

This is a bug that has existed in the OpenSSL code since 1998. It just hasn't been discovered before.

Imagine if your company was targeted by an attacker because you were still using OpenSSL.

Not only would this damage the company's image, but it could also result in huge costs.

Case 1

Reference: http://www.security-next.com/048185

Case 2

Reference: https://www.nikkei.com/article/DGXNASFK1602U_W4A410C1000000/


This is the first big challenge.

Challenges other than vulnerabilities

There are also issues from the following perspectives.

・Support/support period (LTS)

It can be said that it is difficult to get the necessary measures/support when needed.

That's because OpenSSL, which like most open source is supported by volunteer contributions, has historically been underfunded/resourced.

Also, in terms of document preparation, we are facing the problem of not being able to cope with changing software, and many of the major topics are [STILL INCOMPLETE].

・FIPS certified

OpenSSL1.1.1, which corresponds to the latest TLS1.3, has not been FIPS certified yet. Also, the schedule has not been announced yet.

A very large and complex codebase

OpenSSL is about 457K lines of code. Assuming OpenSSL matches the industry standard defect rate of 15-507 bugs per 1,000 lines of code, then OpenSSL has 6855-22850 bugs.

・Focus is not fixed as a project

You have too many options enabled by default. Finding out which options/how to disable again increases the time cost. Also, leaving unnecessary options turned on increases the potential cost associated with a security breach.

 

URL of Mocana