The effect of the Heartbleed bug on open source projects
The Heartbleed bug in OpenSSL is all the information security world is talking about these days. Many are beginning to realize, its existence has opened multiple cans of worms.
One aspect of the revelation is how it will affect the trust professionals and regular users have in open source software.
Dr. Robin Seggelmann, the 31-year-old German software developer that was the one who introduced the Heartbleed flaw into OpenSSL’s code in December 2011, says it was an error that, unfortunately, went undetected first by the code reviewer, Dr. Stephen Henson, and then by everyone else for over two years.
“I was working on improving OpenSSL and submitted numerous bug fixes and added new features,” Seggelmann explained for The Sydney Morning Herald. “In one of the new features, unfortunately, I missed validating a variable containing a length.”
Dr. Seggelman is a contributor to the Internet Engineering Task Force (IETF), a research associate with the Munster University of Applied Sciences in Germany, and a respected security professional.
He denied inserting the bug on purpose and with malicious intent.
“But in this case, it was a simple programming error in a new feature, which unfortunately occurred in a security relevant area,” he said. “It was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project.”
Still, he doesn’t deny that the flaw could have been misused by intelligence agencies during this period. “It is a possibility, and it’s always better to assume the worst than best case in security matters, but since I didn’t know [about] the bug until it was released and [I am] not affiliated with any agency, I can only speculate,” he concluded.
He pointed out that the main difficulty of creating open source software is attracting contributors and code reviewers, and expressed hope that this incident will spur more people to contribute to open source projects, especially when the software is relevant for security.
“The OpenSSL team, which is surprisingly small, has been given the task of maintaining the world’s most popular TLS library. It’s a hard job with essentially no pay. It involves taking other folks’ code (as in the case of Heartbeat) and doing a best-possible job of reviewing it. Then you hope others will notice it and disclose it responsibly before disasters happen,” noted Matthew Green, a cryptographer and research professor at Johns Hopkins University.
“The OpenSSL developers have a pretty amazing record considering the amount of use this library gets and the quantity of legacy cruft and the number of platforms (over eighty!) they have to support. Maybe in the midst of patching their servers, some of the big companies that use OpenSSL will think of tossing them some real no-strings-attached funding so they can keep doing their job.”
Google has recently started a Patch Rewards Program to reward researchers who aim to “improve the security of key third-party software critical to the health of the entire Internet” with “down-to-earth, proactive improvements that go beyond merely fixing a known security bug.” The program includes many open source projects, including OpenSSL.
The thing is, as Paul Roberts notes, this situation is “a plain reminder of the extent to which modern, IT infrastructure has become dependent on the integrity of third-party code that too often proves to be unreliable. In fact, Heartbleed and OpenSSL may end up being the poster child for third-party code audits.”