When news broke that there was a security bug in open-source software of Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols, called Heartbleed, everyone was advised to change almost all of their passwords. Some websites affected by this bug included Google, Yahoo, Netflix, YouTube, DropBox, and Facebook, just to name a few.
So what exactly was Heartbleed? It was a vulnerability in OpenSSL which is an open-source software that many websites use to securely transmit data. In order to securely transmit the data, the data is encrypted so that only the recipient can accurately see the data and hackers would not be able to decipher it. When two computers are communicating with each other, one will occasionally send a “heartbeat” which is a small packet of data that basically asks the other computer if the connection is still secure. The security vulnerability that researchers found was that the packet could be disguised and trick the computer into sending data that is has stored.
Heartbleed happened quite a few months ago, so why is this relevant? I thought it would be interesting to examine a case that is very well known, wide spread, and fairly recent to analyze what this bug means for the future and if open-source software will change. So after such a big security vulnerability, critics examined whether open-source software was actually safe. The main conclusion is that coding is not perfect so there is bound to be coding errors that may lead to a security vulnerability but that can happen with open and closed source. Critics don’t agree on which one is safer. Some argue that with open source, there are more eyeballs, therefore the chance of catching the bug is much higher. The only problem with that is in reality there aren’t really that many eyeballs constantly looking at the open-source code. Open source software lacks the financial and human support it needs to run at maximum efficiency and Heartbleed made that clear.
Ultimately, security flaws are inevitable. Even closed-source software that customers pay a lot for have security flaws. Open-source software is not unsafe but Heartbleed created a call to action to many companies using open-source software to make sure they are constantly monitoring the codes.
After what some think was the worst security bug to hit the Internet, do you think open-source is safe? What do you think people can do to prevent something like this from happening again?
Articles:
http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/
http://mashable.com/2014/04/14/heartbleed-open-source/
http://www.businessinsider.com/heartbleed-bug-explainer-2014-4
http://www.nextgov.com/cio-briefing/2014/08/after-heartbleed-open-source-more-trouble-its-worth/92309/
