How to stop the next Heartbleed bug: Pay open-source coders to protect us

Dan Gillmor writes: Yes, it is beyond worrisome that a bug this big existed for so long. But the discovery of Heartbleed – a truly mind-boggling flaw in OpenSSL, the widely used web security technology run on open-source code – led to one of the most rapid responses I’ve ever seen in the encryption world.

We’re not nearly finished repairing this gaping hole in our online safety, with potentially hundreds of thousands of email accounts and sites relying on a secure connection exposed to Heartbleed. And, yes, the National Security Agency probably knew about it before you did. But still, thousands of sites have moved quickly to mitigate at least some of the immediate damage.

So why is everyone pointing fingers at the beleaguered developers of OpenSSL? Because someone should have found this programming error two years ago? Sure, but don’t blame this tiny team of volunteers; go change your password (but only if your favorite sites have been updated). These aren’t just some lazy coders letting your bank account login leak into the online slipstream; they’re heroes, who have worked tirelessly during the past few years on software that can be freely downloaded and modified, that brings online safety, at a low cost, to all of us. And, seriously, there are only like 17 of them.

The last thing we want to do, as some fear-mongers have suggested this week amidst ‘the worst thing to happen to the internet‘, is turn over our communications infrastructure from open-source software to for-profit companies that want to extract cash from the ecosystem. The more eyes we have on open programming instructions, the more likely someone will find a bug. [Continue reading…]

Facebooktwittermail