Heartbleed bug has revealed major flaw in online security - so much of the web is based on free software that anyone can access

The Heartbleed vulnerability arose from a section of code that helps maintain a piece of free software used by companies and government agencies almost everywhere

A major flaw revealed this week in widely used encryption software has highlighted one of the enduring – and terrifying – realities of the internet: it is inherently chaotic, built by multitudes and continuously tweaked, with nobody in overall charge.

The Heartbleed bug is a product of the online world's makeshift nature. While users see the logos of big, multibillion-dollar companies when they shop, bank and communicate over the internet, nearly all of those companies rely on free software – often built and maintained by volunteers – to help make those services secure.

The Heartbleed vulnerability arose from a section of code that had been approved two years ago by a developer that helps maintain OpenSSL, a piece of free software created in the mid-1990s and still used by companies and government agencies almost everywhere.

While the extent of the damage caused by the bug may never be known, the possibilities for data theft are enormous. At the very least, many companies and government agencies will have to replace their encryption keys, and millions of users will have to create new passwords on sites where they are accustomed to seeing the small lock icon that symbolises online encryption.

“This was old code. Everyone depends on it. And I think that just everyone assumed that somebody else was dealing with it,” says Christopher Soghoian, principal technologist for the American Civil Liberties Union.

The group that was actually maintaining OpenSSL consisted of fewer than a dozen encryption enthusiasts spread across four continents. Many have never met each other in person. Their headquarters – if there can be said to be one – is a sprawling home office in Frederick, Maryland, where a single employee lives and works amid racks of servers and an industrial-grade internet connection.

The total donations to the group last year, in support of work that keeps billions of pounds of commerce and countless personal secrets flowing safely across the internet: less than £1,500. Luckily, the group also makes some money from consulting work.

“When you consider how complicated and significant a piece of software it is, and how critical a piece of infrastructure it is, it is kind of mind-boggling,” said Steve Marquess, the president of the OpenSSL Software Foundation and a former US federal technology contractor.

Read more: Am I at risk and do I really have to change my password?
Heartbleed flaw described as 'catastrophic' by experts

The Heartbleed flaw was discovered by a Google researcher and, separately, by a Finnish security company, Codenomicon. The flaw could allow hackers to access user names, passwords and credit card numbers. Some researchers believe that hackers could potentially access encryption keys that could unlock internet traffic on a mass scale.

OpenSSL is “open source” software – the source code is publicly available for scrutiny – and it was thought that such problems were less likely than with closed source software such as Microsoft's products. The belief is captured in a saying popular among the open source community: “Given enough eyeballs, all bugs are shallow” – meaning flaws will be spotted and quickly fixed.

But security experts have warned for years that open-source software can harbour serious problems because the volunteers and non-profit groups that often create them lack the time and expertise to continually update their work against a barrage of hacking attempts.

Part of the problem is that many large profit-making companies make use of open-source software without contributing to its maintenance, either financially or in programming expertise. “These are guys are working very hard for very little money,” says Matthew Green, a Johns Hopkins University cryptography expert. “Yahoo and all these companies are getting all this value out of this. If they just gave a small fraction of that [to the foundation], everyone would be better off.”

The foundation made less than £500,000 last year, almost entirely from consulting contracts. That is not enough to commission a security audit of OpenSSL, a meticulous process that involves testing the software for vulnerabilities.

“This is the sort of thing that nobody is going to come along and offer a wad of money to do,” said Mr Marquess. “No one person is going to get a benefit out of that.” Hence the global palpitations over Heartbleed.

© Washington Post

There will be a chance to bid for a rare example of the SAS Diary, collated by a former member of the regiment in the aftermath of World War II but only published – in a limited run of just 5,000 – in 2011
charity appealTime is running out to secure your favourite lot as our auction closes at 2pm today
Elton John and David Furnish exchange marriage vows
peopleSinger posts pictures of nuptials throughout the day
File: James Woods attends the 52nd New York Film Festival at Walter Reade Theater on September 27, 2014
peopleActor was tweeting in wake of NYPD police shooting
Life and Style
ebookNow available in paperback
Life and Style
ebooksA superb mix of recipes serving up the freshest of local produce in a delicious range of styles
Martin Skrtel heads in the dramatic equaliser
SPORTLiverpool vs Arsenal match report: Bandaged Martin Skrtel heads home in the 97th-minute
Arts and Entertainment
The Lord of the Rings and The Hobbit director Peter Jackson with his star on the Hollywood Walk of Fame
Billie Whitelaw was best known for her close collaboration with playwright Samuel Beckett, here performing in a Beckett Trilogy at The Riverside Studios, Hammersmith
people'Omen' star was best known for stage work with Samuel Beckett
Arts and Entertainment
Mark Wright has won The Apprentice 2014
tvThe Apprentice 2014 final
Latest stories from i100
Have you tried new the Independent Digital Edition apps?
Independent Dating

By clicking 'Search' you
are agreeing to our
Terms of Use.

ES Rentals

    iJobs Job Widget
    iJobs Gadgets & Tech

    Recruitment Genius: Technical Support Analyst / Helpdesk Support Analyst

    £16000 - £19000 per annum: Recruitment Genius: Our client is the UK's leading ...


    £20000 - £30000 per annum + OTE £50k: SThree: SThree are a global FTSE 250 bus...

    SThree: Trainee Recruitment Consultant - LONDON

    £20000 - £25000 per annum + OTE £40,000 + Car + Pension: SThree: SThree are a ...

    SThree: Trainee Recruitment Consultant

    £20000 - £25000 per annum + OTE £35K: SThree: We consistently strive to be the...

    Day In a Page

    Surrounded by high-rise flats is a little house filled with Lebanon’s history - clocks, rifles, frogmen’s uniforms and colonial helmets

    Clocks, rifles, swords, frogmen’s uniforms

    Surrounded by high-rise flats is a little house filled with Lebanon’s history
    Return to Gaza: Four months on, the wounds left by Israel's bombardment have not yet healed

    Four months after the bombardment, Gaza’s wounds are yet to heal

    Kim Sengupta is reunited with a man whose plight mirrors the suffering of the Palestinian people
    Gastric surgery: Is it really the answer to the UK's obesity epidemic?

    Is gastric surgery really the answer to the UK's obesity epidemic?

    Critics argue that it’s crazy to operate on healthy people just to stop them eating
    Homeless Veterans appeal: Christmas charity auction Part 2 - now LIVE

    Homeless Veterans appeal: Christmas charity auction

    Bid on original art, or trips of a lifetime to Africa or the 'Corrie' set, and help Homeless Veterans
    Pantomime rings the changes to welcome autistic theatre-goers

    Autism-friendly theatre

    Pantomime leads the pack in quest to welcome all
    The week Hollywood got scared and had to grow up a bit

    The week Hollywood got scared and had to grow up a bit

    Sony suffered a chorus of disapproval after it withdrew 'The Interview', but it's not too late for it to take a stand, says Joan Smith
    From Widow Twankey to Mother Goose, how do the men who play panto dames get themselves ready for the performance of a lifetime?

    Panto dames: before and after

    From Widow Twankey to Mother Goose, how do the men who play panto dames get themselves ready for the performance of a lifetime?
    Thirties murder mystery novel is surprise runaway Christmas hit

    Thirties murder mystery novel is surprise runaway Christmas hit

    Booksellers say readers are turning away from dark modern thrillers and back to the golden age of crime writing
    Anne-Marie Huby: 'Charities deserve the best,' says founder of JustGiving

    Anne-Marie Huby: 'Charities deserve the best'

    Ten million of us have used the JustGiving website to donate to good causes. Its co-founder says that being dynamic is as important as being kind
    The botanist who hunts for giant trees at Kew Gardens

    The man who hunts giants

    A Kew Gardens botanist has found 25 new large tree species - and he's sure there are more out there
    The 12 ways of Christmas: Spare a thought for those who will be working to keep others safe during the festive season

    The 12 ways of Christmas

    We speak to a dozen people who will be working to keep others safe, happy and healthy over the holidays
    Birdwatching men have a lot in common with their feathered friends, new study shows

    The male exhibits strange behaviour

    A new study shows that birdwatching men have a lot in common with their feathered friends...
    Diaries of Evelyn Waugh, Virginia Woolf and Noël Coward reveal how they coped with the December blues

    Famous diaries: Christmas week in history

    Noël Coward parties into the night, Alan Clark bemoans the cost of servants, Evelyn Waugh ponders his drinking…
    From noble to narky, the fall of the open letter

    From noble to narky, the fall of the open letter

    The great tradition of St Paul and Zola reached its nadir with a hungry worker's rant to Russell Brand, says DJ Taylor
    A Christmas ghost story by Alison Moore: A prodigal daughter has a breakthrough

    A Christmas ghost story by Alison Moore

    The story was published earlier this month in 'Poor Souls' Light: Seven Curious Tales'