Few technology practitioners will have missed the recent news that more than 60% of websites could be affected by a cryptographic library flaw known as “Heartbleed”, exploitable by criminal elements to steal information (including username and password data). The flaw exists in any version of OpenSSL released between 14 March 2012 and 7 April 2014, and which has not been patched to OpenSSL 1.0.1g.
To date, it is not absolutely clear to what extent the bug has been used by hackers, but the potential is widespread due in no small part to the use of OpenSSL by Apache and other webservers, which service more than two-thirds of active websites on the internet. The vulnerability also affects many e-mail servers.
To close this vulnerability, it is advisable to update to OpenSSL 1.0.1g immediately. If this is not possible, developers are advised to recompile OpenSSL with the compile time option OPENSSL_NO_HEARTBEATS. Operating system vendors and distribution, appliance vendors, independent software vendors should adopt the fix and notify their users. Service providers and users will need to install the fix as it becomes available for the operating systems, networked appliances and software they use.
One of the key benefits of open source software, according to its advocates, is that because it is open to scrutiny, errors and bugs will be spotted much more rapidly than with proprietary software. Some commentators may suggest that the fact that Heartbleed has been around for at least two years without detection weakens that argument, although of course we cannot say how long it would’ve taken to discover if the same flaw had existed in proprietary software, and so this is probably not a supportable argument. In fact, the developer that inadvertently introduced the bug told The Guardian newspaper that the bug’s discovery demonstrates the value of publicly available source code.
The question now arises, as to what the open-source industry should be thinking in terms of ways to reduce the likelihood of similar occurrences in future. Many corporate and governmental organizations use open source very widely, and perhaps these users are the ones who can now assist? It has been suggested that as CIOs want to rely more and more on free open source software, they should be considering ways in which they can contribute back to the community that developed it. On the basis that the more scrutiny the open source code is under, the more likely it is that bugs will be found, perhaps it is time for large organizations and the open source community to work ever more closely to everyone’s benefit.
Oh, and if you hadn’t considered it yet, after the bug has been fixed would be a good time to change your passwords!