OpenSSL Makes Small Policy Update Regarding Notifications

Openssl made a small policy change two weeks ago that seems to give Huawei, one of the largest Chinese tech companies, early access to found zero days.

Openssl is used to create the keys that encrypt the data that is sent every time information leaves a computer. Almost everyone uses it. Nearly everything depends on it.

What Changing This Policy Means

By updating their security disclosure policy two weeks ago, Huawei will now be sent high severity exploits submitted by researchers  7 days in advance of the public. Overall this process is not defined in detail, and does not have ways of establishing accountability or making sure all procedures are followed.

The 2014 OpenSSL Heartbleed Incident

What is happening is frustrating because the 2014 Heartbleed Incident that affected Openssl was already considered one of the more severe security issues in recent memory. While this is a political issue that will unfold over time, once again the open source's trust in Openssl is being strained.

Heartbleed: Open source’s worst hour | ZDNet
People assumed that open source software is somehow magical, that it’s immune to ordinary programming mistakes and security blunders. It’s not.

Things That OpenSSL Said When Updating the Notification Policy

The full blog post Openssl issued regarding the change can be found here, and a snapshot of the last few paragraphs you can see below.

What Serves The Common Good

We live in an era of declining trust in institutions, groups, and governments. 12Security takes very seriously, as a matter of integrity and morality, attempts by those with some power to drain what little is left of the common good.

Deep semantics will be avoided here, but Mark's post is deceptive. Full stop. What should jump out at any reader is that the companies Openssl has a "commercial" relationship with are never mentioned in the post. In fact it takes several minutes of searching to locate them on the website. Who are they? Additionally, the extremely relevant fact that the update involves sensitive money relationships is also absent from Mark's tweet about the update several weeks ago. What is going on?

Huawei and Previous OpenSSL Support of the Chinese Communist Party

Well we will never know all of the sponsors. Apparently some sponsors prefer to give anonymously to Openssl. This is horrifying. First this strikes us as an unusually good way to launder money at the minimum. There are no internal controls, no AML software, and no auditors at Openssl.  

No one in the open source community is going to stand up and seriously challenge our claim here that large anonymous donations to critical and ubiquitous encryption technology serves the greater good.

There are two sponsors we do know of though. Huawei and Samrtisan:

Obviously these are both Chinese companies of significant size and scale.

Additionally in September 2018, Openssl also introduced the SM2, SM3, and SM4 ciphers to the library. These ciphers, designed by the Chinese government, are trivial for the Ministry of Public Security to intercept and crack. How and when Openssl began introducing algorithms designed to aid organizations accused of some of the most significant human rights violations in the last 8 decades is an urgent matter of attention.

We expect many cynical accusations of whataboutisms regarding race and justice in the United States by posting this. Or perhaps there was simply some "mix up" at the Openssl Foundation. We will say upfront we will view these claims with enormous skepticism and ask that others not to be naive upfront.

Code is Law

The subtitle above is a quote from Lawrence Lessig. If it is true then Openssl is something akin to the Supreme Court. The widespread use of this library is hard to overstate. Openssl is default. It is preinstalled. It is what you just use to encrypt keys, X.509 certificates, and data in transit.

Volunteers Yes, But Unelected Technocrats Also

Mr. Cox probably should not be controlling the fates or steering the infrastructure policy of billions of human beings around the world. He is a brilliant engineer as one can see by looking over his resume. He has lead and is responsible for some of the world's most distinguished open source projects. Again this is all very strange and the decision to enter into a de facto agreement with Huawei should be viewed with much skepticism in light of Mr. Cox's experience and distinguished background.

Final Points

We have written long technical posts before. But Openssl is functionally a very simple library to get. It helps in the encryption of data at many critical points. And this in turn shields many people from surveillance and spying.

We expect to update this blog post several times. We don't know exactly how this policy decision was made, but we are referring Mr. Cox to law enforcement officials in Washington and London. It will bring great relief to us if we are entirely wrong about the relationship with Huawei, but that seems unlikely.