Heartbleed bug has revealed major flaw in online security - so much of the web is based on free software that anyone can access

The Heartbleed vulnerability arose from a section of code that helps maintain a piece of free software used by companies and government agencies almost everywhere

A major flaw revealed this week in widely used encryption software has highlighted one of the enduring – and terrifying – realities of the internet: it is inherently chaotic, built by multitudes and continuously tweaked, with nobody in overall charge.

The Heartbleed bug is a product of the online world's makeshift nature. While users see the logos of big, multibillion-dollar companies when they shop, bank and communicate over the internet, nearly all of those companies rely on free software – often built and maintained by volunteers – to help make those services secure.

The Heartbleed vulnerability arose from a section of code that had been approved two years ago by a developer that helps maintain OpenSSL, a piece of free software created in the mid-1990s and still used by companies and government agencies almost everywhere.

While the extent of the damage caused by the bug may never be known, the possibilities for data theft are enormous. At the very least, many companies and government agencies will have to replace their encryption keys, and millions of users will have to create new passwords on sites where they are accustomed to seeing the small lock icon that symbolises online encryption.

“This was old code. Everyone depends on it. And I think that just everyone assumed that somebody else was dealing with it,” says Christopher Soghoian, principal technologist for the American Civil Liberties Union.

The group that was actually maintaining OpenSSL consisted of fewer than a dozen encryption enthusiasts spread across four continents. Many have never met each other in person. Their headquarters – if there can be said to be one – is a sprawling home office in Frederick, Maryland, where a single employee lives and works amid racks of servers and an industrial-grade internet connection.

The total donations to the group last year, in support of work that keeps billions of pounds of commerce and countless personal secrets flowing safely across the internet: less than £1,500. Luckily, the group also makes some money from consulting work.

“When you consider how complicated and significant a piece of software it is, and how critical a piece of infrastructure it is, it is kind of mind-boggling,” said Steve Marquess, the president of the OpenSSL Software Foundation and a former US federal technology contractor.

Read more: Am I at risk and do I really have to change my password?
Heartbleed flaw described as 'catastrophic' by experts

The Heartbleed flaw was discovered by a Google researcher and, separately, by a Finnish security company, Codenomicon. The flaw could allow hackers to access user names, passwords and credit card numbers. Some researchers believe that hackers could potentially access encryption keys that could unlock internet traffic on a mass scale.

OpenSSL is “open source” software – the source code is publicly available for scrutiny – and it was thought that such problems were less likely than with closed source software such as Microsoft's products. The belief is captured in a saying popular among the open source community: “Given enough eyeballs, all bugs are shallow” – meaning flaws will be spotted and quickly fixed.

But security experts have warned for years that open-source software can harbour serious problems because the volunteers and non-profit groups that often create them lack the time and expertise to continually update their work against a barrage of hacking attempts.

Part of the problem is that many large profit-making companies make use of open-source software without contributing to its maintenance, either financially or in programming expertise. “These are guys are working very hard for very little money,” says Matthew Green, a Johns Hopkins University cryptography expert. “Yahoo and all these companies are getting all this value out of this. If they just gave a small fraction of that [to the foundation], everyone would be better off.”

The foundation made less than £500,000 last year, almost entirely from consulting contracts. That is not enough to commission a security audit of OpenSSL, a meticulous process that involves testing the software for vulnerabilities.

“This is the sort of thing that nobody is going to come along and offer a wad of money to do,” said Mr Marquess. “No one person is going to get a benefit out of that.” Hence the global palpitations over Heartbleed.

© Washington Post

News
people
Arts and Entertainment
Joel Edgerton, John Turturro and Christian Bale in Exodus: Gods and Kings
film Ridley Scott reveals truth behind casting decisions of Exodus
News
people
Sport
footballArsenal 2 Borussia Dortmund 0: And they can still top the group
PROMOTED VIDEO
Life and Style
ebookNow available in paperback
Life and Style
ebooksA superb mix of recipes serving up the freshest of local produce in a delicious range of styles
Arts and Entertainment
An unseen image of Kurt Cobain at home featured in the film 'Kurt Cobain: Montage of Heck'
filmThe singers widow and former bandmates have approved project
News
Andy Murray with his girlfriend of nine years, Kim Sears who he has got engaged to
peopleWimbledon champion announces engagement to girlfriend Kim Sears
Arts and Entertainment
Jake Quickenden and Edwina Currie are joining the I'm A Celebrity...Get Me Out Of Here! camp
tv
Arts and Entertainment
George Mpanga has been shortlisted for the Critics’ Choice prize
music
News
Albert Camus (left) and Jean-Paul Sartre fell out in 1952 and did not speak again before Camus’s death
people
Arts and Entertainment
Roisin, James and Sanjay in the boardroom
tvReview: This week's failing project manager had to go
News
Ed Miliband visiting the Holocaust museum in Jerusalem. The Labour leader has spoken more openly of his heritage recently
newsAttacks on the Labour leader have coalesced around a sense that he is different, weird, a man apart. But are the barbs more sinister?
Arts and Entertainment
'Felfie' (2014) by Alison Jackson
photographyNew exhibition shows how female creatives are changing the way women are portrayed in advertising
News
i100
Life and Style
Fright night: the board game dates back to at least 1890
life
Environment
The vaquita is being killed by fishermen trying to catch the totoaba fish, which is prized in China
environmentJust 97 of the 'world's cutest' sea mammals remain
Latest stories from i100
Have you tried new the Independent Digital Edition apps?
Independent Dating
and  

By clicking 'Search' you
are agreeing to our
Terms of Use.

ES Rentals

    iJobs Job Widget
    iJobs Gadgets & Tech

    Argyll Scott International: Senior Business Analyst- Insurance

    Negotiable: Argyll Scott International: Senior Business Analyst - Insurance ...

    Recruitment Genius: Drupal Developer

    Negotiable: Recruitment Genius: This consulting firm are searching for an Adva...

    Ashdown Group: IT Support Analyst

    £20000 - £26000 per annum: Ashdown Group: Desktop Support Analyst - Sutton, Su...

    Opilio Recruitment: Trainee Recruitment Consultant

    £15k - 18k per year + Benefits & OTE: Opilio Recruitment: Digital Media, Mob...

    Day In a Page

    Cameron, Miliband and Clegg join forces for Homeless Veterans campaign

    Cameron, Miliband and Clegg join forces for Homeless Veterans campaign

    It's in all our interests to look after servicemen and women who fall on hard times, say party leaders
    Millionaire Sol Campbell wades into wealthy backlash against Labour's mansion tax

    Sol Campbell cries foul at Labour's mansion tax

    The former England defender joins Myleene Klass, Griff Rhys Jones and Melvyn Bragg in criticising proposals
    Nicolas Sarkozy returns: The ex-President is preparing to fight for the leadership of France's main opposition party – but will he win big enough?

    Sarkozy returns

    The ex-President is preparing to fight for the leadership of France's main opposition party – but will he win big enough?
    Is the criticism of Ed Miliband a coded form of anti-Semitism?

    Is the criticism of Miliband anti-Semitic?

    Attacks on the Labour leader have coalesced around a sense that he is different, weird, a man apart. But is the criticism more sinister?
    Ouija boards are the must-have gift this Christmas, fuelled by a schlock horror film

    Ouija boards are the must-have festive gift

    Simon Usborne explores the appeal - and mysteries - of a century-old parlour game
    There's a Good Girl exhibition: How female creatives are changing the way women are portrayed in advertising

    In pictures: There's a Good Girl exhibition

    The new exhibition reveals how female creatives are changing the way women are portrayed in advertising
    UK firm Biscuiteers is giving cookies a makeover - from advent calendars to doll's houses

    UK firm Biscuiteers is giving cookies a makeover

    It worked with cupcakes, doughnuts and macarons so no wonder someone decided to revamp the humble biscuit
    Can SkySaga capture the Minecraft magic?

    Can SkySaga capture the Minecraft magic?

    It's no surprise that the building game born in Sweden in 2009 and now played by millions, has imitators keen to construct their own mega money-spinner
    The King's School is way ahead of the pack when it comes to using the latest classroom technology

    Staying connected: The King's School

    The school in Cambridgeshire is ahead of the pack when it comes to using the latest classroom technology. Richard Garner discovers how teachers and pupils stay connected
    Christmas 2014: 23 best women's perfumes

    Festively fragrant: the best women's perfumes

    Give a loved one a luxe fragrance this year or treat yourself to a sensual pick-me-up
    Arsenal vs Borussia Dortmund: Alex Oxlade-Chamberlain celebrates century with trademark display of speed and intuition

    Arsenal vs Borussia Dortmund

    The Ox celebrates century with trademark display of speed and intuition
    Billy Joe Saunders vs Chris Eubank Jnr: When two worlds collide

    When two worlds collide

    Traveller Billy Joe Saunders did not have a pampered public-school upbringing - unlike Saturday’s opponent Chris Eubank Jnr
    Homeless Veterans Christmas Appeal: Drifting and forgotten - turning lives around for ex-soldiers

    Homeless Veterans Christmas Appeal: Turning lives around for ex-soldiers

    Our partner charities help veterans on the brink – and get them back on their feet
    Putin’s far-right ambition: Think-tank reveals how Russian President is wooing – and funding – populist parties across Europe to gain influence in the EU

    Putin’s far-right ambition

    Think-tank reveals how Russian President is wooing – and funding – populist parties across Europe to gain influence in the EU
    Tove Jansson's Moominland: What was the inspiration for Finland's most famous family?

    Escape to Moominland

    What was the inspiration for Finland's most famous family?