Heartbleed bug has revealed major flaw in online security - so much of the web is based on free software that anyone can access

The Heartbleed vulnerability arose from a section of code that helps maintain a piece of free software used by companies and government agencies almost everywhere

A major flaw revealed this week in widely used encryption software has highlighted one of the enduring – and terrifying – realities of the internet: it is inherently chaotic, built by multitudes and continuously tweaked, with nobody in overall charge.

The Heartbleed bug is a product of the online world's makeshift nature. While users see the logos of big, multibillion-dollar companies when they shop, bank and communicate over the internet, nearly all of those companies rely on free software – often built and maintained by volunteers – to help make those services secure.

The Heartbleed vulnerability arose from a section of code that had been approved two years ago by a developer that helps maintain OpenSSL, a piece of free software created in the mid-1990s and still used by companies and government agencies almost everywhere.

While the extent of the damage caused by the bug may never be known, the possibilities for data theft are enormous. At the very least, many companies and government agencies will have to replace their encryption keys, and millions of users will have to create new passwords on sites where they are accustomed to seeing the small lock icon that symbolises online encryption.

“This was old code. Everyone depends on it. And I think that just everyone assumed that somebody else was dealing with it,” says Christopher Soghoian, principal technologist for the American Civil Liberties Union.

The group that was actually maintaining OpenSSL consisted of fewer than a dozen encryption enthusiasts spread across four continents. Many have never met each other in person. Their headquarters – if there can be said to be one – is a sprawling home office in Frederick, Maryland, where a single employee lives and works amid racks of servers and an industrial-grade internet connection.

The total donations to the group last year, in support of work that keeps billions of pounds of commerce and countless personal secrets flowing safely across the internet: less than £1,500. Luckily, the group also makes some money from consulting work.

“When you consider how complicated and significant a piece of software it is, and how critical a piece of infrastructure it is, it is kind of mind-boggling,” said Steve Marquess, the president of the OpenSSL Software Foundation and a former US federal technology contractor.

Read more: Am I at risk and do I really have to change my password?
Heartbleed flaw described as 'catastrophic' by experts

The Heartbleed flaw was discovered by a Google researcher and, separately, by a Finnish security company, Codenomicon. The flaw could allow hackers to access user names, passwords and credit card numbers. Some researchers believe that hackers could potentially access encryption keys that could unlock internet traffic on a mass scale.

OpenSSL is “open source” software – the source code is publicly available for scrutiny – and it was thought that such problems were less likely than with closed source software such as Microsoft's products. The belief is captured in a saying popular among the open source community: “Given enough eyeballs, all bugs are shallow” – meaning flaws will be spotted and quickly fixed.

But security experts have warned for years that open-source software can harbour serious problems because the volunteers and non-profit groups that often create them lack the time and expertise to continually update their work against a barrage of hacking attempts.

Part of the problem is that many large profit-making companies make use of open-source software without contributing to its maintenance, either financially or in programming expertise. “These are guys are working very hard for very little money,” says Matthew Green, a Johns Hopkins University cryptography expert. “Yahoo and all these companies are getting all this value out of this. If they just gave a small fraction of that [to the foundation], everyone would be better off.”

The foundation made less than £500,000 last year, almost entirely from consulting contracts. That is not enough to commission a security audit of OpenSSL, a meticulous process that involves testing the software for vulnerabilities.

“This is the sort of thing that nobody is going to come along and offer a wad of money to do,” said Mr Marquess. “No one person is going to get a benefit out of that.” Hence the global palpitations over Heartbleed.

© Washington Post

News
The cartoon produced by Bruce MacKinnon for the Halifax Chronicle-Herald on Thursday, showing the bronze soldiers of the war memorial in Ottawa welcoming Corporal Cirillo into their midst
news
News
i100
News
The Edge and his wife, Morleigh Steinberg, at the Academy Awards in 2014
peopleGuitarist faces protests over plan to build mansions in Malibu
Voices
Nigel Farage has backed DJ Mike Read's new Ukip song
voicesNigel Farage: Where is the Left’s outrage over the sexual abuse of girls in the North of England?
PROMOTED VIDEO
Life and Style
ebooksA superb mix of recipes serving up the freshest of local produce in a delicious range of styles
Life and Style
ebooksFrom the lifespan of a slug to the distance to the Sun: answers to 500 questions from readers
Life and Style
The Zinger Double Down King, which is a bun-less burger released in Korea
food + drinkKFC unveils breadless meat beast
News
i100
Voices
Funds raised from the sale of poppies help the members of the armed forces with financial difficulties
voicesLindsey German: The best way of protecting soldiers is to stop sending them into disastrous conflicts
News
In other news ... Jon Snow performed at last year's Newsroom's Got Talent charity event
people
News
i100
Life and Style
Text messaging changes as a relationship evolves
life
News
The comedian, 42, made the controversial comment following the athlete’s sentencing to five years for the culpable homicide of Reeva Steenkamp on Tuesday
peopleComedian's quip about Reeva Steenkamp was less than well received at music magazine awards
Sport
Cristiano Ronaldo in action for Real Madrid
football
News
peoplePerformer had recently been diagnosed with prostate cancer
Life and Style
food + drink
Latest stories from i100
Have you tried new the Independent Digital Edition apps?
Independent Dating
and  

By clicking 'Search' you
are agreeing to our
Terms of Use.

ES Rentals

    iJobs Job Widget
    iJobs Gadgets & Tech

    SSRS Report Developer - Urgent Contract - London - £300pd

    £300 Per Annum: Clearwater People Solutions Ltd: SSRS Report Developer – 3 Mon...

    HR Business Partner - Essex - £39,000 plus benefits

    £32000 - £39000 per annum + benefits + bonus: Ashdown Group: Generalist HR Man...

    2nd Line server support - Microsoft certified

    £25000 - £30000 Per Annum: Clearwater People Solutions Ltd: Our large organisa...

    IT Support Engineer (1st and 2nd Line) - London

    £22000 - £24000 per annum + benefits : Ashdown Group: IT Support Engineer (1st...

    Day In a Page

    How could three tourists have been battered within an inch of their lives by a burglar in a plush London hotel?

    A crime that reveals London's dark heart

    How could three tourists have been battered within an inch of their lives by a burglar in a plush London hotel?
    Meet 'Porridge' and 'Vampire': Chinese state TV is offering advice for citizens picking a Western moniker

    Lost in translation: Western monikers

    Chinese state TV is offering advice for citizens picking a Western moniker. Simon Usborne, who met a 'Porridge' and a 'Vampire' while in China, can see the problem
    Handy hacks that make life easier: New book reveals how to rid your inbox of spam, protect your passwords and amplify your iPhone

    Handy hacks that make life easier

    New book reveals how to rid your email inbox of spam, protect your passwords and amplify your iPhone with a loo-roll
    KidZania lets children try their hands at being a firefighter, doctor or factory worker for the day

    KidZania: It's a small world

    The new 'educational entertainment experience' in London's Shepherd's Bush will allow children to try out the jobs that are usually undertaken by adults, including firefighter, doctor or factory worker
    Renée Zellweger's real crime has been to age in an industry that prizes women's youth over humanity

    'Renée Zellweger's real crime was to age'

    The actress's altered appearance raised eyebrows at Elle's Women in Hollywood awards on Monday
    From Cinderella to The Jungle Book, Disney plans live-action remakes of animated classics

    Disney plans live-action remakes of animated classics

    From Cinderella to The Jungle Book, Patrick Grafton-Green wonders if they can ever recapture the old magic
    Thousands of teenagers to visit battlefields of the First World War in new Government scheme

    Pupils to visit First World War battlefields

    A new Government scheme aims to bring the the horrors of the conflict to life over the next five years
    The 10 best smartphone accessories

    Make the most of your mobile: 10 best smartphone accessories

    Try these add-ons for everything from secret charging to making sure you never lose your keys again
    Mario Balotelli substituted at half-time against Real Madrid: Was this shirt swapping the real reason?

    Liverpool v Real Madrid

    Mario Balotelli substituted at half-time. Was shirt swapping the real reason?
    West Indies tour of India: Hurricane set to sweep Windies into the shadows

    Hurricane set to sweep Windies into the shadows

    Decision to pull out of India tour leaves the WICB fighting for its existence with an off-field storm building
    Indiana serial killer? Man arrested for murdering teenage prostitute confesses to six other murders - and police fear there could be many more

    A new American serial killer?

    Police fear man arrested for murder of teen prostitute could be responsible for killing spree dating back 20 years
    Sweetie, the fake 10-year-old girl designed to catch online predators, claims her first scalp

    Sting to trap paedophiles may not carry weight in UK courts

    Computer image of ‘Sweetie’ represented entrapment, experts say
    Fukushima nuclear crisis: Evacuees still stuck in cramped emergency housing three years on - and may never return home

    Return to Fukushima – a land they will never call home again

    Evacuees still stuck in cramped emergency housing three years on from nuclear disaster
    Wildlife Photographer of the Year: Intimate image of resting lions claims top prize

    Wildlife Photographer of the Year

    Intimate image of resting lions claims top prize
    Online petitions: Sign here to change the world

    Want to change the world? Just sign here

    The proliferation of online petitions allows us to register our protests at the touch of a button. But do they change anything?