Last week saw a major vulnerability exposed in a widely used piece of software, and ironically this time not only was it not software from Microsoft, but they were one of the few companies totally unaffected. The flaw was discovered in OpenSSL, an open source piece of software which is used to encrypt communications over the web. OpenSSL is widely used in everything from online shopping and online banking to mobile apps and the flaw left many websites and companies exposed; everyone from Mumsnet to Amazon Web Services, Google to Facebook, and Yahoo were affected.
This has led many to question the safety and security of open source software, surely much to the delight of companies like Microsoft.
Open Source = More eyes?
An oft expressed view when it comes to open source, is that it is better because it is open and means that more people are looking at the source code and therefore there are more eyes to spot vulnerabilities, back doors and other problems, malicious or otherwise – but is that the case?
As an open source software user, I have often wondered about the source code for the software that I use, yet I have never felt the need to examine it. The errant code that allowed the Heartbleed exploit was added more than two years ago, yet no-one spotted the potential problem in all that time, at least no-one that cared to point it out – there are rumours that the NSA found and exploited the vulnerability some time ago.
OpenSSL is used by millions and millions of people, and the source code is freely available to all, apparently. Yet it took two years for someone to realize the problem was there. This may be because despite millions of users, there were just four volunteers producing the code and not many more tracking it. It seems that everyone appeared to assume that someone else was checking the code.
SEP (Somebody Else’s Problem)
The Heartbleed revelation has led many to question whether the open source really is as safe as has been claimed. If such a popular piece of software can trundle along quite happily for more than two years with such a major flaw, what about less well used pieces of software?
This really should be a wake up call to open source users, especially the big users like Facebook, Google et al who can surely no longer just assume that checking the software and properly supporting it is somebody else’s problem.
Safety in numbers really doesn’t seem to work when no-one is paying attention.