SA Forum is an invited essay from experts on topical issues in science and technology.
Heartbleed is the most serious Internet security flaw yet. For about two years, two thirds of Web sites were susceptible to having their memory extracted by remote attackers—memory containing private information, passwords and encryption keys. Heartbleed attacks would not have shown up in most sites’ logs, so we can’t be sure how widely it was exploited or what might have leaked. Some evidence suggests active exploitation of Heartbleed as long ago as November 2013, but researchers are still working to verify those claims.
Heartbleed was caused by a programming error in code submitted to the OpenSSL encryption package by a German PhD student back in 2011. It was a common type of error but somehow nobody spotted it. Not only did the flawed code make it through OpenSSL’s vetting process but even after it was adopted into the official OpenSSL version the hole sat unnoticed for two years.
Open-source software like OpenSSL is supposed to be good for security because everyone is free to read and analyze the code. Open code maximizes the odds that somebody, somewhere will find a bug before it burns end users. Open-source advocate Eric S. Raymond famously called this Linus’s Law: “Given enough eyeballs, all bugs are shallow.” That’s good news, if you have enough eyeballs.
But OpenSSL suffers from a major eyeball shortage. The project is maintained by four people, with a budget of less than $1 million per year. Another million or two spent on a security audit might well have prevented Heartbleed. OpenSSL security, however, is a public good with the attendant funding problems: Once it exists, no one can be prevented from benefiting from it, so many hope to free ride after someone else foots the bill.
Government often pays for public goods such as basic scientific research. But government didn’t invest in the security of OpenSSL. Despite spending billions a year on cybersecurity and declaring “cyber” a national priority, government didn’t offer even a few million dollars to bolster this core security infrastructure.
Government also failed to provide authoritative, concrete advice after Heartbleed was made public, when users and small-site operators across the Net were wondering what to do. Although government offers such advice to people faced with natural disasters or physical safety risks, it left users stranded when Heartbleed showed up.
Instead, the best news from government on Heartbleed was the unusually clear and direct White House statement that no part of the U.S. government had known about Heartbleed before it was disclosed. This statement averted the outcry that would have ensued had the National Security Agency been withholding knowledge of a severe vulnerability affecting two thirds of the Web. The administration’s defenders breathed a sigh of relief.
It speaks volumes that many people, including these authors, feared that government had been sitting on knowledge of Heartbleed for months because it preferred to see people vulnerable. That fear turned out to be misplaced—this time. The newly announced policy is to disclose vulnerabilities responsibly, unless there is “a clear national security or law enforcement need.” One commentator likened this to a strict policy of not eating chocolate unless it is delicious.
For the most part, companies are less likely than government to provide public goods such as OpenSSL security funding and broad guidance for users. In the case of Heartbleed some companies warned users to change passwords on the companies’ own sites—and that is a good idea—but few offered general advice.
The simple fact is that we don’t have the institutions we need to support security for ordinary Internet users. Companies aren’t doing the whole job. Government isn’t filling the gap—and cannot do so effectively until it restores trust that it is not taking active steps to undermine security. Somebody needs to take the lead in funding and coordinating audits of infrastructure, organizing useful disclosures of vulnerabilities to the public and providing accessible advice and guidance for users as well as operators of small Web sites.
Existing entities provide some of these functions—for example, the Open Crypto Audit Project seeks to fund and coordinate audits of security-critical open-source software. But a central organization should unify these efforts, identify unaddressed issues and present clear information to the public. If neither government nor private companies will do so, then we need an independent institution dedicated to serving the security needs of end users.
We will be fighting the security battle for a long time, and nothing can make us entirely safe. Heartbleed won’t be the last serious computer security flaw we’ll suffer. But better institutions can make these flaws less frequent, less serious and less confusing to users. With some leadership, and a modest investment, we could have a champion for user security.