Heartbleed bug has revealed major flaw in online security - so much of the web is based on free software that anyone can access

The Heartbleed vulnerability arose from a section of code that helps maintain a piece of free software used by companies and government agencies almost everywhere

A major flaw revealed this week in widely used encryption software has highlighted one of the enduring – and terrifying – realities of the internet: it is inherently chaotic, built by multitudes and continuously tweaked, with nobody in overall charge.

The Heartbleed bug is a product of the online world's makeshift nature. While users see the logos of big, multibillion-dollar companies when they shop, bank and communicate over the internet, nearly all of those companies rely on free software – often built and maintained by volunteers – to help make those services secure.

The Heartbleed vulnerability arose from a section of code that had been approved two years ago by a developer that helps maintain OpenSSL, a piece of free software created in the mid-1990s and still used by companies and government agencies almost everywhere.

While the extent of the damage caused by the bug may never be known, the possibilities for data theft are enormous. At the very least, many companies and government agencies will have to replace their encryption keys, and millions of users will have to create new passwords on sites where they are accustomed to seeing the small lock icon that symbolises online encryption.

“This was old code. Everyone depends on it. And I think that just everyone assumed that somebody else was dealing with it,” says Christopher Soghoian, principal technologist for the American Civil Liberties Union.

The group that was actually maintaining OpenSSL consisted of fewer than a dozen encryption enthusiasts spread across four continents. Many have never met each other in person. Their headquarters – if there can be said to be one – is a sprawling home office in Frederick, Maryland, where a single employee lives and works amid racks of servers and an industrial-grade internet connection.

The total donations to the group last year, in support of work that keeps billions of pounds of commerce and countless personal secrets flowing safely across the internet: less than £1,500. Luckily, the group also makes some money from consulting work.

“When you consider how complicated and significant a piece of software it is, and how critical a piece of infrastructure it is, it is kind of mind-boggling,” said Steve Marquess, the president of the OpenSSL Software Foundation and a former US federal technology contractor.

Read more: Am I at risk and do I really have to change my password?
Heartbleed flaw described as 'catastrophic' by experts

The Heartbleed flaw was discovered by a Google researcher and, separately, by a Finnish security company, Codenomicon. The flaw could allow hackers to access user names, passwords and credit card numbers. Some researchers believe that hackers could potentially access encryption keys that could unlock internet traffic on a mass scale.

OpenSSL is “open source” software – the source code is publicly available for scrutiny – and it was thought that such problems were less likely than with closed source software such as Microsoft's products. The belief is captured in a saying popular among the open source community: “Given enough eyeballs, all bugs are shallow” – meaning flaws will be spotted and quickly fixed.

But security experts have warned for years that open-source software can harbour serious problems because the volunteers and non-profit groups that often create them lack the time and expertise to continually update their work against a barrage of hacking attempts.

Part of the problem is that many large profit-making companies make use of open-source software without contributing to its maintenance, either financially or in programming expertise. “These are guys are working very hard for very little money,” says Matthew Green, a Johns Hopkins University cryptography expert. “Yahoo and all these companies are getting all this value out of this. If they just gave a small fraction of that [to the foundation], everyone would be better off.”

The foundation made less than £500,000 last year, almost entirely from consulting contracts. That is not enough to commission a security audit of OpenSSL, a meticulous process that involves testing the software for vulnerabilities.

“This is the sort of thing that nobody is going to come along and offer a wad of money to do,” said Mr Marquess. “No one person is going to get a benefit out of that.” Hence the global palpitations over Heartbleed.

© Washington Post

Life and Style
ebookNow available in paperback
ebooks
ebookA delicious collection of 50 meaty main courses
Latest stories from i100
Have you tried new the Independent Digital Edition apps?
Independent Dating
and  

By clicking 'Search' you
are agreeing to our
Terms of Use.

ES Rentals

    iJobs Job Widget
    iJobs Gadgets & Tech

    SThree: Trainee Recruitment Consultant

    £18000 - £23000 per annum + Uncapped Commission: SThree: As a Trainee Recruitm...

    SThree: Trainee Recruitment Consultant

    £18000 - £23000 per annum + Uncapped Commission: SThree: As a Trainee Recruitm...

    SThree: Trainee Recruitment Consultant

    £18000 - £23000 per annum + Uncapped Commission: SThree: As a Trainee Recruitm...

    Recruitment Genius: Office Administrator

    £14000 - £18000 per annum: Recruitment Genius: An Office Administrator is requ...

    Day In a Page

    Isis in Syria: Influential tribal leaders hold secret talks with Western powers and Gulf states over possibility of mobilising against militants

    Tribal gathering

    Influential clans in Syria have held secret talks with Western powers and Gulf states over the possibility of mobilising against Isis. But they are determined not to be pitted against each other
    Gaza, a year on from Operation Protective Edge: A growing population and a compromised and depleted aquifer leaves water in scarce supply for Palestinians

    Gaza, a year on from Operation Protective Edge

    A growing population and a compromised and depleted aquifer leaves water in scarce supply for Palestinians
    Dozens of politicians, bureaucrats and businessmen linked to Indian bribery scandal die mysteriously

    Illnesses, car crashes and suicides

    Dozens of politicians, bureaucrats and businessmen linked to Indian bribery scandal die mysteriously
    Srebrenica 20 years after the genocide: Why the survivors need closure

    Bosnia's genocide, 20 years on

    No-one is admitting where the bodies are buried - literally and metaphorically
    How Comic-Con can make or break a movie: From Batman vs Superman to Star Wars: Episode VII

    Power of the geek Gods

    Each year at Comic-Con in San Diego, Hollywood bosses nervously present blockbusters to the hallowed crowd. It can make or break a movie
    What do strawberries and cream have to do with tennis?

    Perfect match

    What do strawberries and cream have to do with tennis?
    10 best trays

    Get carried away with 10 best trays

    Serve with ceremony on a tray chic carrier
    Wimbledon 2015: Team Murray firing on all cylinders for SW19 title assault

    Team Murray firing on all cylinders for title assault

    Coaches Amélie Mauresmo and Jonas Bjorkman aiming to make Scot Wimbledon champion again
    Wimbledon 2015: Nick Bollettieri - Vasek Pospisil must ignore tiredness and tell himself: I'm in the quarter-final, baby!

    Nick Bollettieri's Wimbledon Files

    Vasek Pospisil must ignore tiredness and tell himself: I'm in the quarter-final, baby!
    Ashes 2015: Angus Fraser's top 10 moments from previous series'

    Angus Fraser's top 10 Ashes moments

    He played in five series against Australia and covered more as a newspaper correspondent. From Waugh to Warne and Hick to Headley, here are his highlights
    Greece debt crisis: EU 'family' needs to forgive rather than punish an impoverished state

    EU 'family' needs to forgive rather than punish an impoverished state

    An outbreak of malaria in Greece four years ago helps us understand the crisis, says Robert Fisk
    Gaza, a year on from Operation Protective Edge: The traumatised kibbutz on Israel's front line, still recovering from last summer's war with Hamas

    Gaza, a year on from Operation Protective Edge

    The traumatised kibbutz on Israel's front line, still recovering from last summer's war with Hamas
    How to survive electrical storms: What are the chances of being hit by lightning?

    Heavy weather

    What are the chances of being hit by lightning?
    World Bodypainting Festival 2015: Bizarre and brilliant photos celebrate 'the body as art'

    World Bodypainting Festival 2015

    Bizarre and brilliant photos celebrate 'the body as art'
    alt-j: A private jet, a Mercury Prize and Latitude headliners

    Don't call us nerds

    Craig Mclean meets alt-j - the math-folk act who are flying high