Skip to Content

The Underfunded Project Keeping the Web Secure

A security flaw affecting two-thirds of websites is a reminder that the Web relies on a poorly resourced open-source project.
April 8, 2014

Late yesterday we learned that a two-thirds of the world’s websites have a major security vulnerability that could be used to crack encrypted connections and steal user passwords or a company’s encryption keys. The news set system administrators for the estimated 117,000 servers affected (including at major companies like Yahoo) scrambling to roll out a fix. It is also leading some people to ponder why the widely-used software in which the critical bug was found doesn’t get better support.

The Heartbleed bug, as it is known, is a small flaw in a version of an open source package called OpenSSL. It’s used by Web servers to offer encrypted “TLS” connections that appear to users as a padlock and “HTTPS” prefix in a browser’s address bar and are used to protect online banking and other private communications.

There are alternatives to OpenSSL but it is by far the most widely used software for the job. Most websites use it to protect their data and that of their users. Yet the OpenSSL project is mostly run by volunteers. It relies on donations and unlike some other open source project has no corporate sponsors.

It’s impossible to say if more funding would have prevented the Heartbleed bug. But some security experts see the incident as a reminder that what is essentially a critical part of the Web’s infrastructure seems to lack appropriate support from those who rely on it.

Christopher Soghoian, a privacy researcher at the ACLU, suggests that government support might be appropriate:

Cryptography professor Matthew Green of Johns Hopkins University came to similar conclusions in his blog post explaining the attack:

“The OpenSSL developers have a pretty amazing record considering the amount of use this library gets and the quantity of legacy cruft and the number of platforms (over eighty!) they have to support. Maybe in the midst of patching their servers, some of the big companies that use OpenSSL will think of tossing them some real no-strings-attached funding so they can keep doing their job.”

Others in the security industry argue that OpenSSL’s design has become outdated and a ground-up replacement is needed. Either way, the chaos – and hazards – created by the Heartbleed bug make a good case for Web companies or even governments to put up the funds to keep basic components of online security like OpenSSL secure.

Keep Reading

Most Popular

open sourcing language models concept
open sourcing language models concept

Meta has built a massive new language AI—and it’s giving it away for free

Facebook’s parent company is inviting researchers to pore over and pick apart the flaws in its version of GPT-3

transplant surgery
transplant surgery

The gene-edited pig heart given to a dying patient was infected with a pig virus

The first transplant of a genetically-modified pig heart into a human may have ended prematurely because of a well-known—and avoidable—risk.

Muhammad bin Salman funds anti-aging research
Muhammad bin Salman funds anti-aging research

Saudi Arabia plans to spend $1 billion a year discovering treatments to slow aging

The oil kingdom fears that its population is aging at an accelerated rate and hopes to test drugs to reverse the problem. First up might be the diabetes drug metformin.

Yann LeCun
Yann LeCun

Yann LeCun has a bold new vision for the future of AI

One of the godfathers of deep learning pulls together old ideas to sketch out a fresh path for AI, but raises as many questions as he answers.

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.