The heartbleed vulnerability is not only a catastrophic security
issue, it also spans other
interesting topics.
The first obvious lesson, is that the communication around the
vulnerability was brilliant marketing.
The other lesson, less satisfying, is why is the majority of the
internet relying on a very poorly funded project?!
The Washington Post published an article that misses the real
issue. The heartbleed debacle is not an issue with
the fact that OpenSSL is Free Software (the Apple goto
fail bug shows it’s even worse when it’s proprietary--all Apple
users had to wait several days before a patch was sent), nor with
the fact that the Internet have no single authority (if anything,
the openssl library is a single point of failure).
I find it astonishing that OpenSSL is so poorly funded and
apparently lacks a governance strategy that includes large
stakeholders such as the major websites making use of the library
and which, instead, are essentially all irresponsible free-riders.
The real issue here is one of responsibility.
XKCD has an amazingly simple
explanation of how the vulnerability works.
