The Washington Post reports: A major flaw revealed this week in widely used encryption software has highlighted one of the enduring — and terrifying — realities of the Internet: It is inherently chaotic, built by multitudes and continuously tweaked, with nobody in charge of it all.
The Heartbleed bug, which security experts first publicly revealed on Monday, was a product of the online world’s makeshift nature. While users see the logos of big, multibillion-dollar companies when they shop, bank and communicate over the Internet, nearly all of those companies rely on free software — often built and maintained by volunteers — to help make those services secure.
Heartbleed, security experts say, was lodged in a section of code that had been approved two years ago by a developer that helps maintain OpenSSL, a piece of free software created in the mid-1990s and still used by companies and government agencies almost everywhere.
While the extent of the damage caused by the bug may never be known, the possibilities for data theft are enormous. At the very least, many companies and government agencies will have to replace their encryption keys, and millions of users will have to create new passwords on sites where they are accustomed to seeing the small lock icon that symbolizes online encryption.
“This was old code. Everyone depends on it. And I think that just everyone assumed that somebody else was dealing with it,” said Christopher Soghoian, principal technologist for the American Civil Liberties Union.
The group that was actually dealing with it consisted of fewer than a dozen encryption enthusiasts sprawled across four continents. Many have never met each other in person. Their headquarters — to the extent one exists at all — is a sprawling home office outside Frederick, Md., on the shoulders of Sugarloaf Mountain, where a single employee lives and works amid racks of servers and an industrial-grade Internet connection. [Continue reading…]