Some Considerations On Heartbleed

The OpenSSL Heartbleed vulnerability is by now well-known to anybody in the ICT security field. At first sight it looked catastrophic, Schneier wrote that on a scale 1 to 10 it was worth 11. At the moment it is not clear which damages it has directly produced, in particular before the public announcement. But what is possibly more worrisome is the future on which there is an ongoing big discussion of which I try to summarize a few points:

  • this is an extremely serious bug in a security library used but almost everybody, OpenSSL is indeed embedded in many software products, how long and how hard will it be to update all software? Major software producers have and will have a hard time to update all their programs to run with a patched version of the library.
  • but even more difficult is the process of getting all users of vulnerable applications to update them; in particular all embedded systems (think as a simple example about routers and firewalls with VPN capabilities) which often do not have simple ways of updating their software
  • and what about the Internet way of producing the so-called “Open Source” software (and sometime also hardware)? One of the great forces which helps the development of Internet is the “free” availability of fundamental components of it, but who is providing these components? There are some large companies which do support directly some of these, but other projects, like OpenSSL, are mostly run by volunteers in their free time, how can Internet rely on this? (Not from a technical competence point of view, most of these people are the brightest and more competent that there are, but from the availability and support point of view). How can we at the same time still have “open” or “free” software and guarantee availability,¬†correctness, support etc., all characteristics which require infrastructure, commitment and first-of-all money?