Heartbleed OpenSSL Bug Reveals the True Cost of Open-Source Software

NEWS ANALYSIS: The vast majority of those taking advantage of free, open-source software such as OpenSSL do nothing to contribute to its development—and that's part of the problem.

Every day brings new reports of the threats posed by the Heartbleed bug. But the discovery of Heartbleed has also unearthed a scandal that's plagued the open-source community for years.

The scandal is that giant enterprises are doing nothing to contribute to the development, testing and validation of the free software on which they depend. They are takers, pure and simple.

Nothing makes this more obvious than the details revealed by the German developer who was responsible for the bug in the first place, Dr. Robin Seggelmann.

Dr. Seggelmann, it appears, was spending his end-of-the-year holiday working to fix bugs in the first version of OpenSSL, the encryption software that was becoming a standard on the Internet. While he was at it, Seggelmann developed a way to create a heartbeat function that could keep encrypted sessions open rather than timing out over time.

The idea of a heartbeat in this sense is to confirm to the computer at the remote end of the session that the link is still active, reducing the need to log off and then re-establish an encrypted session to transfer more data. By doing so, he created a way to dramatically reduce latency in these connections by eliminating the hand-shake delay. It was a very good idea.

But as happens so often in development, Dr. Seggelmann made a mistake. He forgot to indicate an end variable, which in turn could cause a buffer overflow, which in turn could reveal up to 64 kilobytes of data in the memory of the server at the remote end. This mistake wasn't caught at the time and eventually ended up in the production code.

So why wasn't the error caught? There's been a lot of speculation in the blogosphere about this, with some suggesting that it was an Evil Plot by the National Security Agency. Others suggested that the developer was incompetent. In reality, neither is true. It was a coding error, pure and simple. It wasn't caught because there are only a handful of people in the entire world working, for free, to develop OpenSSL.

And that idea of an open, free software development environment in which an entire community of programmers work together to create software everyone needs is part of the problem in this case. It's a problem because it assumes that there will be a large community of developers, all of whom check the code over time, looking for errors.

But in the real world, the open-source software is developed and then released into production, and because there are so few people in the community who understand it, very little checking happens.

Wayne Rash

Wayne Rash

Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and...