Heartbleed bug has revealed major flaw in online security - so much of the web is based on free software that anyone can access

The Heartbleed vulnerability arose from a section of code that helps maintain a piece of free software used by companies and government agencies almost everywhere

A major flaw revealed this week in widely used encryption software has highlighted one of the enduring – and terrifying – realities of the internet: it is inherently chaotic, built by multitudes and continuously tweaked, with nobody in overall charge.

The Heartbleed bug is a product of the online world's makeshift nature. While users see the logos of big, multibillion-dollar companies when they shop, bank and communicate over the internet, nearly all of those companies rely on free software – often built and maintained by volunteers – to help make those services secure.

The Heartbleed vulnerability arose from a section of code that had been approved two years ago by a developer that helps maintain OpenSSL, a piece of free software created in the mid-1990s and still used by companies and government agencies almost everywhere.

While the extent of the damage caused by the bug may never be known, the possibilities for data theft are enormous. At the very least, many companies and government agencies will have to replace their encryption keys, and millions of users will have to create new passwords on sites where they are accustomed to seeing the small lock icon that symbolises online encryption.

“This was old code. Everyone depends on it. And I think that just everyone assumed that somebody else was dealing with it,” says Christopher Soghoian, principal technologist for the American Civil Liberties Union.

The group that was actually maintaining OpenSSL consisted of fewer than a dozen encryption enthusiasts spread across four continents. Many have never met each other in person. Their headquarters – if there can be said to be one – is a sprawling home office in Frederick, Maryland, where a single employee lives and works amid racks of servers and an industrial-grade internet connection.

The total donations to the group last year, in support of work that keeps billions of pounds of commerce and countless personal secrets flowing safely across the internet: less than £1,500. Luckily, the group also makes some money from consulting work.

“When you consider how complicated and significant a piece of software it is, and how critical a piece of infrastructure it is, it is kind of mind-boggling,” said Steve Marquess, the president of the OpenSSL Software Foundation and a former US federal technology contractor.

Read more: Am I at risk and do I really have to change my password?
Heartbleed flaw described as 'catastrophic' by experts

The Heartbleed flaw was discovered by a Google researcher and, separately, by a Finnish security company, Codenomicon. The flaw could allow hackers to access user names, passwords and credit card numbers. Some researchers believe that hackers could potentially access encryption keys that could unlock internet traffic on a mass scale.

OpenSSL is “open source” software – the source code is publicly available for scrutiny – and it was thought that such problems were less likely than with closed source software such as Microsoft's products. The belief is captured in a saying popular among the open source community: “Given enough eyeballs, all bugs are shallow” – meaning flaws will be spotted and quickly fixed.

But security experts have warned for years that open-source software can harbour serious problems because the volunteers and non-profit groups that often create them lack the time and expertise to continually update their work against a barrage of hacking attempts.

Part of the problem is that many large profit-making companies make use of open-source software without contributing to its maintenance, either financially or in programming expertise. “These are guys are working very hard for very little money,” says Matthew Green, a Johns Hopkins University cryptography expert. “Yahoo and all these companies are getting all this value out of this. If they just gave a small fraction of that [to the foundation], everyone would be better off.”

The foundation made less than £500,000 last year, almost entirely from consulting contracts. That is not enough to commission a security audit of OpenSSL, a meticulous process that involves testing the software for vulnerabilities.

“This is the sort of thing that nobody is going to come along and offer a wad of money to do,” said Mr Marquess. “No one person is going to get a benefit out of that.” Hence the global palpitations over Heartbleed.

© Washington Post

PROMOTED VIDEO
Life and Style
ebooksA superb mix of recipes serving up the freshest of local produce in a delicious range of styles
Life and Style
ebooksFrom the lifespan of a slug to the distance to the Sun: answers to 500 questions from readers
Arts and Entertainment
From Mean Girls to Mamet: Lindsay Lohan
theatre
Sport
Nathaniel Clyne (No 2) drives home his side's second goal past Arsenal’s David Ospina at the Emirates
footballArsenal 1 Southampton 2: Arsène Wenger pays the price for picking reserve side in Capital One Cup
News
Mike Tyson has led an appalling and sad life, but are we not a country that gives second chances?
peopleFormer boxer 'watched over' crash victim until ambulance arrived
Arts and Entertainment
Geena Davis, founder and chair of the Geena Davis Institute on Gender in Media
tv
News
i100
Travel
travelGallery And yes, it is indoors
Life and Style
tech
Arts and Entertainment
The Tiger Who Came To Tea
booksJudith Kerr on what inspired her latest animal intruder - 'The Crocodile Under the Bed'
News
i100
Arts and Entertainment
British actor Idris Elba is also a DJ and rapper who played Ibiza last summer
film
News
Alan Bennett criticised the lack of fairness in British society encapsulated by the private school system
peopleBut he does like Stewart Lee
Latest stories from i100
Have you tried new the Independent Digital Edition apps?
Independent Dating
and  

By clicking 'Search' you
are agreeing to our
Terms of Use.

ES Rentals

    iJobs Job Widget
    iJobs Gadgets & Tech

    IT Systems Manager

    £40000 - £45000 per annum + pension, healthcare,25 days: Ashdown Group: An est...

    Data Analyst / Marketing Database Analyst

    £24000 per annum: Ashdown Group: An established and growing IT Consultancy fir...

    Trainee Helpdesk Analyst / 1st Line Application Support Analyst

    £18000 per annum: Ashdown Group: An established and growing IT Consultancy fir...

    Project Manager (retail, upgrades, rollouts)

    £40000 - £45000 Per Annum + benefits: Clearwater People Solutions Ltd: Project...

    Day In a Page

    Syria air strikes: ‘Peace President’ Obama had to take stronger action against Isis after beheadings

    Robert Fisk on Syria air strikes

    ‘Peace President’ Obama had to take stronger action against Isis after beheadings
    Will Lindsay Lohan's West End debut be a turnaround moment for her career?

    Lindsay Lohan's West End debut

    Will this be a turnaround moment for her career?
    'The Crocodile Under the Bed': Judith Kerr's follow-up to 'The Tiger Who Came to Tea'

    The follow-up to 'The Tiger Who Came to Tea'

    Judith Kerr on what inspired her latest animal intruder - 'The Crocodile Under the Bed' - which has taken 46 years to get into print
    BBC Television Centre: A nostalgic wander through the sets, studios and ghosts of programmes past

    BBC Television Centre

    A nostalgic wander through the sets, studios and ghosts of programmes past
    Lonesome George: Custody battle in Galapagos over tortoise remains

    My George!

    Custody battle in Galapagos over tortoise remains
    10 best rucksacks for backpackers

    Pack up your troubles: 10 best rucksacks for backpackers

    Off on an intrepid trip? Experts from student trip specialists Real Gap and Quest Overseas recommend luggage for travellers on the move
    Secret politics of the weekly shop

    The politics of the weekly shop

    New app reveals political leanings of food companies
    Beam me up, Scottie!

    Beam me up, Scottie!

    Celebrity Trekkies from Alex Salmond to Barack Obama
    Beware Wet Paint: The ICA's latest ambitious exhibition

    Beware Wet Paint

    The ICA's latest ambitious exhibition
    Pink Floyd have produced some of rock's greatest ever album covers

    Pink Floyd have produced some of rock's greatest ever album covers

    Can 'The Endless River' carry on the tradition?
    Sanctuary for the suicidal

    Sanctuary for the suicidal

    One mother's story of how London charity Maytree helped her son with his depression
    A roller-coaster tale from the 'voice of a generation'

    Not That Kind of Girl:

    A roller-coaster tale from 'voice of a generation' Lena Dunham
    London is not bedlam or a cradle of vice. In fact it, as much as anywhere, deserves independence

    London is not bedlam or a cradle of vice

    In fact it, as much as anywhere, deserves independence
    Vivienne Westwood 'didn’t want' relationship with Malcolm McLaren

    Vivienne Westwood 'didn’t want' relationship with McLaren

    Designer 'felt pressured' into going out with Sex Pistols manager
    Jourdan Dunn: Model mother

    Model mother

    Jordan Dunn became one of the best-paid models in the world