Heartbleed bug has revealed major flaw in online security - so much of the web is based on free software that anyone can access

The Heartbleed vulnerability arose from a section of code that helps maintain a piece of free software used by companies and government agencies almost everywhere

A major flaw revealed this week in widely used encryption software has highlighted one of the enduring – and terrifying – realities of the internet: it is inherently chaotic, built by multitudes and continuously tweaked, with nobody in overall charge.

The Heartbleed bug is a product of the online world's makeshift nature. While users see the logos of big, multibillion-dollar companies when they shop, bank and communicate over the internet, nearly all of those companies rely on free software – often built and maintained by volunteers – to help make those services secure.

The Heartbleed vulnerability arose from a section of code that had been approved two years ago by a developer that helps maintain OpenSSL, a piece of free software created in the mid-1990s and still used by companies and government agencies almost everywhere.

While the extent of the damage caused by the bug may never be known, the possibilities for data theft are enormous. At the very least, many companies and government agencies will have to replace their encryption keys, and millions of users will have to create new passwords on sites where they are accustomed to seeing the small lock icon that symbolises online encryption.

“This was old code. Everyone depends on it. And I think that just everyone assumed that somebody else was dealing with it,” says Christopher Soghoian, principal technologist for the American Civil Liberties Union.

The group that was actually maintaining OpenSSL consisted of fewer than a dozen encryption enthusiasts spread across four continents. Many have never met each other in person. Their headquarters – if there can be said to be one – is a sprawling home office in Frederick, Maryland, where a single employee lives and works amid racks of servers and an industrial-grade internet connection.

The total donations to the group last year, in support of work that keeps billions of pounds of commerce and countless personal secrets flowing safely across the internet: less than £1,500. Luckily, the group also makes some money from consulting work.

“When you consider how complicated and significant a piece of software it is, and how critical a piece of infrastructure it is, it is kind of mind-boggling,” said Steve Marquess, the president of the OpenSSL Software Foundation and a former US federal technology contractor.

Read more: Am I at risk and do I really have to change my password?
Heartbleed flaw described as 'catastrophic' by experts

The Heartbleed flaw was discovered by a Google researcher and, separately, by a Finnish security company, Codenomicon. The flaw could allow hackers to access user names, passwords and credit card numbers. Some researchers believe that hackers could potentially access encryption keys that could unlock internet traffic on a mass scale.

OpenSSL is “open source” software – the source code is publicly available for scrutiny – and it was thought that such problems were less likely than with closed source software such as Microsoft's products. The belief is captured in a saying popular among the open source community: “Given enough eyeballs, all bugs are shallow” – meaning flaws will be spotted and quickly fixed.

But security experts have warned for years that open-source software can harbour serious problems because the volunteers and non-profit groups that often create them lack the time and expertise to continually update their work against a barrage of hacking attempts.

Part of the problem is that many large profit-making companies make use of open-source software without contributing to its maintenance, either financially or in programming expertise. “These are guys are working very hard for very little money,” says Matthew Green, a Johns Hopkins University cryptography expert. “Yahoo and all these companies are getting all this value out of this. If they just gave a small fraction of that [to the foundation], everyone would be better off.”

The foundation made less than £500,000 last year, almost entirely from consulting contracts. That is not enough to commission a security audit of OpenSSL, a meticulous process that involves testing the software for vulnerabilities.

“This is the sort of thing that nobody is going to come along and offer a wad of money to do,” said Mr Marquess. “No one person is going to get a benefit out of that.” Hence the global palpitations over Heartbleed.

© Washington Post

PROMOTED VIDEO
Life and Style
ebooksA superb mix of recipes serving up the freshest of local produce in a delicious range of styles
Life and Style
ebooksFrom the lifespan of a slug to the distance to the Sun: answers to 500 questions from readers
Extras
indybest
Travel
Flocking round: Beyoncé, Madame Tussauds' latest waxwork, looking fierce in the park
travelIn a digital age when we have more access than ever to the stars, why are waxworks still pulling in crowds?
Arts and Entertainment
tv
Arts and Entertainment
Judi Dench appeared at the Hay Festival to perform excerpts from Shakespearean plays
tvJudi Dench and Hugh Bonneville join Benedict Cumberbatch in BBC Shakespeare adaptations
Sport
Is this how Mario Balotelli will cruise into Liverpool?
football
News
Ronahi Serhat, a PKK fighter, in the Qandil Mountains in Iraqi Kurdistan
i100
Arts and Entertainment
Poet’s corner: Philip Larkin at the venetian window of his home in 1958
booksOr caring, playful man who lived for others? A new book has the answer
Arts and Entertainment
Exhibition at the Centre Pompidou in Metz - 23 May 2012
art
News
Matthew McConaughey and his son Levi at the game between the Boston Red Sox and the Houston Astros at Fenway Park on August 17, 2014 in Boston, Massachusetts.
advertisingOscar-winner’s Lincoln deal is latest in a lucrative ad production line
Life and Style
Pick of the bunch: Sudi Pigott puts together roasted tomatoes with peppers, aubergines and Labneh cheese for a tomato-inspired vegetarian main dish
food + drink
Arts and Entertainment
Alfred Molina, left, and John Lithgow in a scene from 'Love Is Strange'
film
Independent
Travel Shop
the manor
Up to 70% off luxury travel
on city breaks Find out more
santorini
Up to 70% off luxury travel
on chic beach resorts Find out more
sardina foodie
Up to 70% off luxury travel
on country retreats Find out more
Latest stories from i100
Have you tried new the Independent Digital Edition apps?
Independent Dating
and  

By clicking 'Search' you
are agreeing to our
Terms of Use.

ES Rentals

    iJobs Job Widget
    iJobs Gadgets & Tech

    C# Software Engineer (ASP.NET, C#, CSS, Java Script, JQuery)

    £40000 - £50000 per annum + Benefits, Training & Bonus: Harrington Starr: C# S...

    CCNP Network Engineer - Farnborough, £250 pd

    £250 per day: Orgtel: Network Engineer (CCNP), Cisco Gold Partner, Farnborough...

    Senior Network Integration/Test Engineer

    £250 - £300 per day: Orgtel: Senior Network Integration/Test Engineer Berkshir...

    Software Developer - Newcastle - £30,000 - £37,000 + benefits

    £30000 - £37000 per annum + attractive benefits: Ashdown Group: .NET Developer...

    Day In a Page

    Air strikes? Talk of God? Obama is following the jihadists’ script

    Air strikes? Talk of God? Obama is following the jihadists’ script

    The President came the nearest he has come yet to rivalling George W Bush’s gormless reaction to 9/11 , says Robert Fisk
    Ebola outbreak: Billy Graham’s son declares righteous war on the virus

    Billy Graham’s son declares righteous war on Ebola

    A Christian charity’s efforts to save missionaries trapped in Africa by the crisis have been justifiably praised. But doubts remain about its evangelical motives
    Jeremy Clarkson 'does not see a problem' with his racist language on Top Gear, says BBC

    Not even Jeremy Clarkson is bigger than the BBC, says TV boss

    Corporation’s head of television confirms ‘Top Gear’ host was warned about racist language
    Nick Clegg the movie: Channel 4 to air Coalition drama showing Lib Dem leader's rise

    Nick Clegg the movie

    Channel 4 to air Coalition drama showing Lib Dem leader's rise
    Philip Larkin: Misogynist, racist, miserable? Or caring, playful man who lived for others?

    Philip Larkin: What will survive of him?

    Larkin's reputation has taken a knocking. But a new book by James Booth argues that the poet was affectionate, witty, entertaining and kind, as hitherto unseen letters, sketches and 'selfies' reveal
    Madame Tussauds has shown off its Beyoncé waxwork in Regent's Park - but why is the tourist attraction still pulling in the crowds?

    Waxing lyrical

    Madame Tussauds has shown off its Beyoncé waxwork in Regent's Park - but why is the tourist attraction still pulling in the crowds?
    Texas forensic astronomer finally pinpoints the exact birth of impressionism

    Revealed (to the minute)

    The precise time when impressionism was born
    From slow-roasted to sugar-cured: how to make the most of the British tomato season

    Make the most of British tomatoes

    The British crop is at its tastiest and most abundant. Sudi Pigott shares her favourite recipes
    10 best men's skincare products

    Face it: 10 best men's skincare products

    Oscar Quine cleanses, tones and moisturises to find skin-savers blokes will be proud to display on the bathroom shelf
    Malky Mackay allegations: Malky Mackay, Iain Moody and another grim day for English football

    Mackay, Moody and another grim day for English football

    The latest shocking claims do nothing to dispel the image that some in the game on these shores exist in a time warp, laments Sam Wallace
    La Liga analysis: Will Barcelona's hopes go out of the window?

    Will Barcelona's hopes go out of the window?

    Pete Jenson starts his preview of the Spanish season, which begins on Saturday, by explaining how Fifa’s transfer ban will affect the Catalans
    Middle East crisis: We know all too much about the cruelty of Isis – but all too little about who they are

    We know all too much about the cruelty of Isis – but all too little about who they are

    Now Obama has seen the next US reporter to be threatened with beheading, will he blink, asks Robert Fisk
    Neanderthals lived alongside humans for centuries, latest study shows

    Final resting place of our Neanderthal neighbours revealed

    Bones dated to 40,000 years ago show species may have died out in Belgium species co-existed
    Scottish independence: The new Scots who hold fate of the UK in their hands

    The new Scots who hold fate of the UK in their hands

    Scotland’s immigrants are as passionate about the future of their adopted nation as anyone else
    Britain's ugliest buildings: Which monstrosities should be nominated for the Dead Prize?

    Blight club: Britain's ugliest buildings

    Following the architect Cameron Sinclair's introduction of the Dead Prize, an award for ugly buildings, John Rentoul reflects on some of the biggest blots on the UK landscape