A major flaw revealed this week in widely used encryption software has highlighted one of the enduring – and terrifying – realities of the Internet: It is inherently chaotic, built by multitudes and continuously tweaked, with nobody in charge of it all.
The Heartbleed bug, which security experts first publicly revealed Monday, was a product of the online world’s makeshift nature. While users see the logos of big, multibillion-dollar companies when they shop, bank and communicate over the Internet, nearly all of those companies rely on free software – often built and maintained by volunteers – to help make those services secure.
Heartbleed, security experts say, was lodged in a section of code that had been approved two years ago by a developer that helps maintain OpenSSL, a piece of free software created in the mid-1990s and still used by companies and government agencies almost everywhere.
While the extent of the damage caused by the bug may never be known, the possibilities for data theft are enormous. At the very least, many companies and government agencies will have to replace their encryption keys, and millions of users will have to create new passwords on sites where they are accustomed to seeing the small lock icon that symbolizes online encryption.
“This was old code. Everyone depends on it. And I think that just everyone assumed that somebody else was dealing with it,” said Christopher Soghoian, principal technologist for the American Civil Liberties Union.
The group that was actually dealing with it consisted of fewer than a dozen encryption enthusiasts sprawled across four continents. Many have never met each other in person. Their headquarters – to the extent one exists at all – is a sprawling home office outside Frederick, Md., on the shoulders of Sugarloaf Mountain, where a single employee lives and works amid racks of servers and an industrial-grade Internet connection.
The total donations to the group last year, in support of work that keeps billions of dollars of commerce and countless personal secrets flowing safely across the Internet: less than $2,000. The group also makes money from consulting work.
“When you consider how complicated and significant a piece of software it is, and how critical a piece of infrastructure it is, it is kind of mind-boggling,” said Steve Marquess, president of the OpenSSL Software Foundation and a former federal technology contractor who works out of his Frederick-area house. “It’s such a thin thread.”
The Internet grew from research by the Defense Department in the late 1960s, but there has never been a master plan. One group built the Web browser, another search technology, another payment networks. Still others made the encryption technology that is increasingly demanded – and scrutinized – in the aftermath of revelations by former National Security Agency contractor Edward Snowden about the power and pervasiveness of Internet surveillance.
Heartbleed, named for an OpenSSL feature called “Heartbeat,” was discovered by a Google researcher and, separately, by a Finland-based security company, Codenomicon.
The flaw could allow hackers to access encrypted data online, including user names, passwords, credit card numbers and Social Security numbers. Some researchers believe that hackers might even have been able to access encryption keys that can unlock Internet traffic on a mass scale, even when the data have been stored for years.
Companies and government agencies have been scrambling for days to correct the flaw by updating software. Dozens of popular websites, including Yahoo, have proved vulnerable to data theft this week. Because the exploitation of the flaw leaves no traces, it is extremely difficult – and perhaps impossible – to know what sites were infiltrated between the introduction of the flaw in March 2012 and its discovery two years later.
Such problems were supposed to be less likely with “open source” software, produced by groups that publish the entirety of the computer code online, for all to see and scrutinize for flaws and potential improvements.
Open-source advocates often claim that their work, as opposed to software produced by private companies such as Microsoft, has fewer problems, because of the inherent transparency of the process. The belief is captured in a saying popular among the community: “Given enough eyeballs, all bugs are shallow” – meaning flaws are not terribly serious and are quickly fixed.
But security experts have warned for years that open-source software can harbor serious problems because the volunteers and nonprofit groups that often create them lack the time and expertise to continually update their work, especially as hackers become more prevalent and sophisticated.
In 2009, Columbia University computer scientist Steve Bellovin wrote in a blog post focusing on problems in Firefox that “if the open source movement is to fulfill its promise, it needs to solve its buggy code problem.”
On Wednesday, he said by email, “There has been some effort to improve the process, but it’s not been enough.”