How Heartbleed broke the internet — and why it can happen again

Wired reports: Stephen Henson is responsible for the tiny piece of software code that rocked the internet earlier this week.

The key moment arrived at about 11 o’clock on New Year’s Eve, 2011. With 2012 just minutes away, Henson received the code from Robin Seggelmann, a respected academic who’s an expert in internet protocols. Henson reviewed the code — an update for a critical internet security protocol called OpenSSL — and by the time his fellow Britons were ringing in the New Year, he had added it to a software repository used by sites across the web.

Two years would pass until the rest of the world discovered this, but this tiny piece of code contained a bug that would cause massive headaches for internet companies worldwide, give conspiracy theorists a field day, and, well, undermine our trust in the internet. The bug is called Heartbleed, and it’s bad. People have used it to steal passwords and usernames from Yahoo. It could let a criminal slip into your online bank account. And in theory, it could even help the NSA or China with their surveillance efforts.

It’s no surprise that a small bug would cause such huge problems. What’s amazing, however, is that the code that contained this bug was written by a team of four coders that has only one person contributing to it full-time. And yet Henson’s situation isn’t an unusual one. It points to a much larger problem with the design of the internet. Some of its most important pieces are controlled by just a handful of people, many of whom aren’t paid well — or aren’t paid at all. And that needs to change. Heartbleed has shown — so very clearly — that we must add more oversight to the internet’s underlying infrastructure. We need a dedicated and well-funded engineering task force overseeing not just online encryption but many other parts of the net.

The sad truth is that open source software — which underpins vast swathes of the net — has a serious sustainability problem. [Continue reading…]

Facebooktwittermail

One thought on “How Heartbleed broke the internet — and why it can happen again

  1. pabelmont

    I’ve long belived that Open source s/w was safer than Microsoft stuff. The safety was supposed to arise from checking by many, many independent people. How did this one get by?

    BTW, I once maintained an inhouse compiler and the first bug I found and fixed was not reported as a bug — it was a failure of a free-storage allocation routine to check if an address exceeded the top-limit of the free storage block; found it just be reading the code. HeartBleed sound similar.

Comments are closed.