Categorized | News

OpenSSL shows big problem with open source; underfunded, understaffed

openssl

OpenSSL has a tiny budget, is mostly a volunteer operation, yet maintains secure encryption software used by servers and users worldwide. As we know, OpenSSL code has a huge, dangerous hole in it which allows attackers to grab a private key on a server. This is not a theoretical attack. Researchers responding to an CloudFlare challenge grabbed keys from servers in three hours. Exposing a private key on a server is akin to leaving the door of a bank safe open.

The problem was caused one line of code added by a volunteer. The error was not caught by OpenSSL. The exploit has existed in the wild for two years.

Oddly, a co-founder of OpenSSL appears to think such seat-of-the-pants operations are ok. I disagree. They might be ok if writing an unimportant WordPress plug-in. However this is unacceptable with crucial software.

“The fascinating, mind-boggling fact here is that you have this critical piece of network infrastructure that really runs a large part of the Internet, and there’s basically one guy working on it full time.”

OpenSSL needs to be well-funded, with multiple permanent employees and relentless code testing.

Contact

Bob Morris bob@polizeros.com

310.600.5237

Morris Consulting

  • Legacy PC database migration to Windows
  • WordPress design and support
  • Data conversion

Contact Morris Consulting at bomoco.com.

Categories

Archives