This week, part of the internet broke. Again. Some important people even called it an 11 on a scale from 1 to 10. And I don’t disagree. After the recent Apple goto fail SSL bug and NSA RSA debacle this was actually worse.
So everyone agreed on that. But 3 things, regarding open source software, stood out for me from all this.
1. OpenSSL is a great example of just one open source product that makes up for an incredibly fundamental part of the internet. But it is not a sexy project, (so) it doesn’t have a ton of developers. And now that it broke we’ve seen the enormous impact that this piece of software, that is developed by only a handful of people, has on the lives of billions of people. Think about that for a minute. Every major website that I visit or that I am subscribed to has emailed me to change my passwords. And they’re not just emailing me alone. And this is just one open source product developed by a small team that receives about $2000 in donations per year!
I think it speaks volumes of the power of open source and the impact you can make in contributing to it. I think that is quite magical.
2. After the Heartbleed announcement the sentiment was: go update your OpenSSL packages and revoke en reissue your certificates!
Great. Makes sense right?
No. No not really. Why on earth would we trust the OpenSSL codebase ever again after this disaster?! Theo de Raadt calls the developers irresponsible and the respected author of Varnish wrote about the mess that is the OpenSSL codebase three years ago. He wouldn’t touch it with a ten foot pole. Yet, the overall sentiment seems to be that if you update your OpenSSL stack and revoke/reissue your certificates you’re fine. Really?! What else is in there?!
Part of the problem here is that there are no real alternatives. There are a couple of other SSL/TLS implementations, but that route seems more complicated than to update OpenSSL. So everyone is still using OpenSSL. But also, and this is very important, because no-one seems to distrust the intentions of the OpenSSL team (there were some NSA related conspiracy stories: but they got debunked). So it looks like “OpenSSL messed up, we fixed it, let’s move along”. And that is a good thing.
So what happens next? Are more people reviewing the code? Are more donations coming in to fund this fundamental part of the internet (and therefore our lives)? I sure hope so. Also for the people that discovered the bug (two different people), I hope they will use their skill to inform vendors/distros first before picking a catchy name, registering a domain and creating a fancy logo to announce a big problem to the world. At least it looks like they’re trying to help now. And they didn’t sell it to blackhats (I think).
3. So even though we have the source and we can look at it; the codebase is large and messy. In my estimate this is not unusual for open source projects with a long history. (However the consequences for security related projects tend to be bigger.) So this problem went unnoticed until someone pointed it out. Therefore more people looking at it and more time dedicated to it would make it (incrementally) better I think. But, there will always be bugs.
So which is it?
And that is the other side of open source software and software in general. Software is ‘OK’ until someone points out the bug. And everybody thought OpenSSL was secure. Until it wasn’t.
It’s almost like Schrödingers’ cat paradox. Like software can be two things at once. We all trusted OpenSSL, it was after all the very definition of security. Until proven otherwise. And the bug was just ‘always’ right there.
So I’d like to argue this: all software is broken by default. And all we can do is be on the lookout and fix problems when they arise.
And at least in the case of OpenSSL we can look at the code and make it better. And I wouldn’t want it any other way.
