Wall Street Journal: The encryption flaw that punctured
the heart of the Internet this week underscores a weakness in
Internet security: A good chunk of
it is managed by four European coders and a former military
consultant in Maryland.
To answer some of the astonished comments I made yesterday, the
lack of contributors to the project is baffling. So: the whole
Internet relied on 10 volunteers and 1 employee and nobody helped
them?
I guess this sort of comes back to one of the essential question
in Free Software: how do you get the users to fund it? For some
kind of software, this can be difficult; but in the case of
OpenSSL I would have thought this to be an easy thing, since so
many banks and web companies intensively rely on it.
But apparently, they didn’t care at all if this major piece of
security they were using was able to keep up with security
standards or not. Considering the number of people involved with
the project, I don't see how it can put enough scrutiny and
efforts to make sure it follows the best security review.
(Now, I have to wonder if the WSJ piece is actually correct in the
way it counts the contributors to the project, because it's fairly
possible that lots of companies making use of OpenSSL actually had
security experts and developers in-house test the code and send
patches and bug reports upstream; a bit like Google and that other
security firm did when they found out about Heartbleed…)
According to Brett Simmons, That pretty much wraps it up for
C.
The whole heartbleed bugs also reminds me that OpenSSL is also an
example of bad idea when it comes to
licensing
issues.