OpenSSL shows big problem with open source; underfunded, understaffed


OpenSSL has a tiny budget, is mostly a volunteer operation, yet maintains secure encryption software used by servers and users worldwide. As we know, OpenSSL code has a huge, dangerous hole in it which allows attackers to grab a private key on a server. This is not a theoretical attack. Researchers responding to an CloudFlare challenge grabbed keys from servers in three hours. Exposing a private key on a server is akin to leaving the door of a bank safe open.

The problem was caused one line of code added by a volunteer. The error was not caught by OpenSSL. The exploit has existed in the wild for two years.

Oddly, a co-founder of OpenSSL appears to think such seat-of-the-pants operations are ok. I disagree. They might be ok if writing an unimportant WordPress plug-in. However this is unacceptable with crucial software.

“The fascinating, mind-boggling fact here is that you have this critical piece of network infrastructure that really runs a large part of the Internet, and there’s basically one guy working on it full time.”

OpenSSL needs to be well-funded, with multiple permanent employees and relentless code testing.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.