Burn It With Fire: How to Eliminate an Industry-Wide Supply Chain Vulnerability
Posted by JLLeitschuh@reddit | programming | View on Reddit | 13 comments
usernamedottxt@reddit
I was in diapers when SSL first published. Now I’m a senior cybersecurity advisor. And we’re still convincing folks to actually use it.
ScottContini@reddit
To be overly pedantic, nobody should use SSL. They should use TLS instead.
usernamedottxt@reddit
Also did this same type of post until I actually read the RFCs and the history.
The TLS1.0 spec is effectively identical to the SSL3.0 spec. SSL 3 developers had pretty much agreed on a way to tag “extra features” into some unused bits and 1.0 codified that as “TLS extensions”, but left all details of it undefined.
The reason the name changed is Netscape still technically owned the SSL “brand”. While you could fairly easily argue common usage, it was easier for an organization like the IETF on a liability perspective to rename it. And the new name makes it more clear what it actually is.
So I’m all for being pedantic, but saying SSL and TLS are fundamentally different technologies is overly pedantic imo. TLS is SSL, just fixed and improved.
FullPoet@reddit
Sane defaults are so important, its insane to me that you can just start building something in N or X framework / tool / language (especially high level) and the defaults will be complete shit, insecure and many times undocumented.
N1ghtCod3r@reddit
Amazing work!
No_Jackfruit_4305@reddit
Thank you for your service. Inspiring work
ScottContini@reddit
This is good history.
To me, “Apache” is synonymous with insecurity. I know many will downvote me for this comment, but there is so much just shockingly bad security associated with Apache including struts, log4j, Apache http server, Apache commons, tomcat, etc… it just goes on and on, and yes everything has vulnerabilities but the ones coming from Apache are always shockingly bad design choices because security was left as an afterthought.
Another point is that for a long time, Maven and similar were pushing for got signatures on repositories to eliminate threats like what was discussed in this article. I had a huge rant on StackOverflow about why this is so wrong long before people were talking about supply chain attacks. Over time, Maven seemed to stop talking about such signatures as the solution. Signatures just shift the problem to somewhere else. Hopefully SLSA will eventually give us a safer way of verifying artefacts but only if it becomes the norm for open source software which remains open.
st4rdr0id@reddit
The entire stack has to be secured, from the HW to the OS to the build and deployment processes.
Unfortunately we can't scrutinize HW, and consumer-grade OSes are not designed with security as the main priority.
LeagueOfLegendsAcc@reddit
Wow I can't believe a company hasn't scooped you up yet. This is a pretty remarkable achievement.
desmaraisp@reddit
This is genuinely impressive work. Managing to get those big orgs to actually fix those issues is pretty awe-inspiring imo
JLLeitschuh@reddit (OP)
Thanks! It's been a fun personal security research project over the past several years. I've gotten some flack from the Apache and Jenkins teams over the years. They haven't always been fans of my bulk generating security fix pull requests across their repos. Almost everyone else has been rather appreciative of the work overall
Pheasn@reddit
Honestly, that sounds exactly on brand for those two
CanvasFanatic@reddit
At this point I’m on board to just burn it with fire.