The Really Scary Aspect About Heartbleed

Posted: Apr 10 2014, 1:45pm CDT | by , Updated: Apr 10 2014, 2:04pm CDT, in News | Technology News

The Really Scary Aspect About Heartbleed
/* Story Top Left 2010 300x250, created 7/15/10 */ google_ad_slot = "8340327155";

Another day, another Internet security crisis. This time it’s a problem with the encryption protocol that many Internet sites use to protect their data. Yet again, users for whom the basics of Internet security are as obscure as the functioning of car engines are being told there are lots of “site lemons” out there and that they need to be careful.

For those who want the nitty-gritty on what the Heartbleed bug is and what went wrong with the “code library” it snuck into, read Rusty Foster in the New Yorker. As for whether it affects you and the sites you use, check out this tool from password service LastPass. (Yes, Netflix and HBOGo, for example, were vulnerable to the Heartbleed bug, meaning someone may have been able to ping those websites for people’s usernames and passwords, and you should change your credentials there when their sites are fixed.)

It will be fixed, just like Apple's GoToFail encryption bug was fixed, and this will blow over, and people will change their passwords, and everything will be fine…. unless, as Bruce Schneier points out, the flaw is in an embedded system that can’t be updated. Regardless, something like this will happen again. The bigger problem illuminated by this latest security crisis was spelled out in a report from the Wall Street Journal’s Danny Yadron. The OpenSSL code library on which so many companies rely for their Web security only has one dude working on the project full-time.

OpenSSL is managed by four core European programmers, only one of whom counts it as his full-time job.

And it is strapped for cash:

Writing encryption code is complex, so many website operators tap OpenSSL, which is free. It was created in the late 1990s by developers who wanted an easy-to-use encryption scheme for Internet traffic. Its website is bare bones, as are its finances. Steve Marquess, president of the OpenSSL Software Foundation, a separate entity that solicits funding for the team that manages the code, said its 2013 budget was less than $1 million.

That’s despite the fact that up to two-thirds of the Web relies on it. The German developer Robin Seggelman responsible for Heartbleed, who introduced the coding version of a typo, did so an hour from New Year’s Eve in 2011, according to reports. Because it is an open-source project, anyone can review it, and the hope — one deeply rooted in the philosophy of the Internet age — is that through crowd-sourcing, mistakes will be inevitably by caught and scourged.

But it wasn’t spotted until two years later by Google security engineer Neel Mehta, who is not talking to the press, according to a Google spokesperson, who would only provide a statement from Google. “The security of our users’ information is a top priority,” she writes. “We fixed this bug early and Google users do not need to change their passwords.”

But what about the larger problem? Internet users big and small, from billion-dollar corporations like Google and Yahoo to little non-profits offering secure websites, relying on a volunteer project to provide the skeleton for their security.

“Heartbleed is further evidence that we don’t have our house in order when it comes to Internet security,” Princeton computer security expert Edward Felten tells Farjad Manjoo in the New York Times. He went on to compare the “culture of software development” with that of the “safety culture that is common in fields such as aviation” and finds the former lacking. That makes sense in a way: the Internet doesn’t usually kill you when it fails, but it can certainly be expensive for companies and troublesome for Internet users when something like Heartbleed happens.

So what’s the solution? Obviously, those tending to the security protocols that support the rest of the Web need better infrastructure and more funding. “Large portions of the software infrastructure of the Internet are built and maintained by volunteers, who get little reward when their code works well but are blamed, and sometimes savagely derided, when it fails,” writes Foster in the New Yorker.

He sees some change thanks to venture capital funding in open source code-infrastructure projects, like GitHub and the Node Package Manager. “But money and support still tend to flow to the newest and sexiest projects, while boring but essential elements like OpenSSL limp along as volunteer efforts,” he writes. “It’s easy to take open-source software for granted, and to forget that the Internet we use every day depends in part on the freely donated work of thousands of programmers.”

We need to find ways to pay for work that is currently essentially donated freely. One promising project is Bithub, from Whisper Systems, where people who make valuable contributions to open source projects are rewarded (with Bitcoin of course). But the pool of Bitcoin is still donation based. The Internet has helped create a culture of free, but what we may need to recognize is that we get what we pay for. Well-funded companies pulling critical code from open source projects for their sites should have formal fee arrangements, rather than the volunteer group simply hoping these users will pony up some Benjamins for “prominent logo placement” on a website most people had never heard of before Heartbleed.

Anyone who gave OpenSSL $20,000 or more got its logo on their website according to their donation page. There are no logos on their website.

This story may contain affiliate links.


Find rare products online! Get the free Tracker App now.

Download the free Tracker app now to get in-stock alerts on Pomsies, Oculus Go, SNES Classic and more.

Latest News


The Author

Forbes is among the most trusted resources for the world's business and investment leaders, providing them the uncompromising commentary, concise analysis, relevant tools and real-time reporting they need to succeed at work, profit from investing and have fun with the rewards of winning.




comments powered by Disqus