Heartbleed bug has revealed major flaw in online security - so much of the web is based on free software that anyone can access

The Heartbleed vulnerability arose from a section of code that helps maintain a piece of free software used by companies and government agencies almost everywhere

A major flaw revealed this week in widely used encryption software has highlighted one of the enduring – and terrifying – realities of the internet: it is inherently chaotic, built by multitudes and continuously tweaked, with nobody in overall charge.

The Heartbleed bug is a product of the online world's makeshift nature. While users see the logos of big, multibillion-dollar companies when they shop, bank and communicate over the internet, nearly all of those companies rely on free software – often built and maintained by volunteers – to help make those services secure.

The Heartbleed vulnerability arose from a section of code that had been approved two years ago by a developer that helps maintain OpenSSL, a piece of free software created in the mid-1990s and still used by companies and government agencies almost everywhere.

While the extent of the damage caused by the bug may never be known, the possibilities for data theft are enormous. At the very least, many companies and government agencies will have to replace their encryption keys, and millions of users will have to create new passwords on sites where they are accustomed to seeing the small lock icon that symbolises online encryption.

“This was old code. Everyone depends on it. And I think that just everyone assumed that somebody else was dealing with it,” says Christopher Soghoian, principal technologist for the American Civil Liberties Union.

The group that was actually maintaining OpenSSL consisted of fewer than a dozen encryption enthusiasts spread across four continents. Many have never met each other in person. Their headquarters – if there can be said to be one – is a sprawling home office in Frederick, Maryland, where a single employee lives and works amid racks of servers and an industrial-grade internet connection.

The total donations to the group last year, in support of work that keeps billions of pounds of commerce and countless personal secrets flowing safely across the internet: less than £1,500. Luckily, the group also makes some money from consulting work.

“When you consider how complicated and significant a piece of software it is, and how critical a piece of infrastructure it is, it is kind of mind-boggling,” said Steve Marquess, the president of the OpenSSL Software Foundation and a former US federal technology contractor.

Read more: Am I at risk and do I really have to change my password?
Heartbleed flaw described as 'catastrophic' by experts

The Heartbleed flaw was discovered by a Google researcher and, separately, by a Finnish security company, Codenomicon. The flaw could allow hackers to access user names, passwords and credit card numbers. Some researchers believe that hackers could potentially access encryption keys that could unlock internet traffic on a mass scale.

OpenSSL is “open source” software – the source code is publicly available for scrutiny – and it was thought that such problems were less likely than with closed source software such as Microsoft's products. The belief is captured in a saying popular among the open source community: “Given enough eyeballs, all bugs are shallow” – meaning flaws will be spotted and quickly fixed.

But security experts have warned for years that open-source software can harbour serious problems because the volunteers and non-profit groups that often create them lack the time and expertise to continually update their work against a barrage of hacking attempts.

Part of the problem is that many large profit-making companies make use of open-source software without contributing to its maintenance, either financially or in programming expertise. “These are guys are working very hard for very little money,” says Matthew Green, a Johns Hopkins University cryptography expert. “Yahoo and all these companies are getting all this value out of this. If they just gave a small fraction of that [to the foundation], everyone would be better off.”

The foundation made less than £500,000 last year, almost entirely from consulting contracts. That is not enough to commission a security audit of OpenSSL, a meticulous process that involves testing the software for vulnerabilities.

“This is the sort of thing that nobody is going to come along and offer a wad of money to do,” said Mr Marquess. “No one person is going to get a benefit out of that.” Hence the global palpitations over Heartbleed.

© Washington Post

News
Food blogger and Guardian writer Jack Monroe with her young son
people
News
people
News
peopleSinger tells The Independent what life is like in rehab in an exclusive video interview
Arts and Entertainment
booksPhotographer Richard Young has been snapping celebrities at play for 40 years - but he says it wasn’t all fun and games...
PROMOTED VIDEO
Life and Style
ebookNow available in paperback
Life and Style
ebooksA superb mix of recipes serving up the freshest of local produce in a delicious range of styles
News
i100
Sport
Aguero - who single-handedly has kept City's Champions League dreams alive - celebrates his dramatic late winner
footballManchester City 3 Bayern Munich 2: Argentine's late hat-rick sees home side snatch vital victory
News
Muhammad Ali pictured in better health in 2006
peopleBut he has enjoyed publicity from his alleged near-death experience
Arts and Entertainment
Tony breaks into Ian Garrett's yacht and makes a shocking discovery
TVReview: Revelations continue to make this drama a tough watch
News
news
Arts and Entertainment
TV
News
The assumption that women are not as competent in leadership positions as men are leads to increased stress in the workplace
science... and it's down to gender stereotypes
Life and Style
The racy marketing to entice consumers to buy Fairlife, which launches in the US next month
food + drink
Arts and Entertainment
Inner sanctum: Tove Jansson and friends in her studio in 1992
booksWhat was the inspiration for Finland's most famous family?
News
i100
Latest stories from i100
Have you tried new the Independent Digital Edition apps?
Independent Dating
and  

By clicking 'Search' you
are agreeing to our
Terms of Use.

ES Rentals

    iJobs Job Widget
    iJobs Gadgets & Tech

    Ashdown Group: PHP Developer (LAMP Developer) - Devon - £33,000

    £26000 - £33000 per annum + benefits and bonus: Ashdown Group: PHP Developer (...

    Recruitment Genius: Junior Software Developer

    £18000 - £24000 per annum: Recruitment Genius: A Junior Software Developer is ...

    Ashdown Group: PHP Web Developer - PHP MySQL JQuery HTML CSS - Wimbledon £28K

    £28000 per annum: Ashdown Group: PHP Web Developer - PHP MySQL JQuery HTML CSS...

    Langley James : Network Engineer, NHS, West London £250 per day (6 months)

    £250 per day: Langley James : Network Engineer, NHS, CCNA, CCNP, West London £...

    Day In a Page

    Homeless Veterans Christmas Appeal: Drifting and forgotten - turning lives around for ex-soldiers

    Homeless Veterans Christmas Appeal: Turning lives around for ex-soldiers

    Our partner charities help veterans on the brink – and get them back on their feet
    Putin’s far-right ambition: Think-tank reveals how Russian President is wooing – and funding – populist parties across Europe to gain influence in the EU

    Putin’s far-right ambition

    Think-tank reveals how Russian President is wooing – and funding – populist parties across Europe to gain influence in the EU
    Tove Jansson's Moominland: What was the inspiration for Finland's most famous family?

    Escape to Moominland

    What was the inspiration for Finland's most famous family?
    Nightclubbing with Richard Young: The story behind his latest book of celebrity photographs

    24-Hour party person

    Photographer Richard Young has been snapping celebrities at play for 40 years. As his latest book is released, he reveals that it wasn’t all fun and games
    Michelle Obama's school dinners: America’s children have a message for the First Lady

    A taste for rebellion

    US children have started an online protest against Michelle Obama’s drive for healthy school meals by posting photos of their lunches
    Colouring books for adults: How the French are going crazy for Crayolas

    Colouring books for adults

    How the French are going crazy for Crayolas
    Jack Thorne's play 'Hope': What would you do as a local politician faced with an impossible choice of cuts?

    What would you do as a local politician faced with an impossible choice of cuts?

    Playwright Jack Thorne's latest work 'Hope' poses the question to audiences
    Ed Harcourt on Romeo Beckham and life as a court composer at Burberry

    Call me Ed Mozart

    Paloma Faith, Lana del Ray... Romeo Beckham. Ed Harcourt has proved that he can write for them all. But it took a personal crisis to turn him from indie star to writer-for-hire
    10 best stocking fillers for foodies

    Festive treats: 10 best stocking fillers for foodies

    From boozy milk to wasabi, give the food-lover in your life some extra-special, unusual treats to wake up to on Christmas morning
    Phil Hughes head injury: He had one weakness – it has come back to haunt him

    Phil Hughes had one weakness – it has come back to haunt him

    Prolific opener had world at his feet until Harmison and Flintoff bounced him
    'I have an age of attraction that starts as low as four': How do you deal with a paedophile who has never committed a crime?

    'I am a paedophile'

    Is our approach to sex offenders helping to create more victims?
    How bad do you have to be to lose a Home Office contract?

    How bad do you have to be to lose a Home Office contract?

    Serco given Yarl’s Wood immigration contract despite ‘vast failings’
    Green Party on the march in Bristol: From a lost deposit to victory

    From a lost deposit to victory

    Green Party on the march in Bristol
    Putting the grot right into Santa's grotto

    Winter blunderlands

    Putting the grot into grotto
    'It just came to us, why not do it naked?' London's first nude free runner captured in breathtaking images across capital

    'It just came to us, why not do it naked?'

    London's first nude free runner captured in breathtaking images across capital