May 2014: April 2014 was the month OpenSSL became really, really famous. Not because everyone learned it’s a super-useful encryption tool that most websites use but because it had one tiny bit of bad code — a bug. And that Heartbleed bug broke Internet security for a while.
Why is OpenSSL used on so many websites? And what should your company consider if you’re using it, too? Hop on this quick summary and find out:
The majority of the Internet is powered by various open-source solutions because the code is free. It’s written by engineers and enthusiasts in their spare time and it’s available in the open-source universe to help developers make websites and other tech stuff do useful things.
OpenSSL is an open-source code that’s used to secure connections between computers and servers. SSL stands for Secure Socket Layer and OpenSSL is available, free to anyone who visits the website (including hackers). The OpenSSL project is a volunteer-driven organization with one full-time employee.
“Why buy an SSL toolkit as a black box when you can get an open one for free?”
This is what the OpenSSL asks on its website — tough to argue with that!
It’s free code, in fact, that has made free online platforms (Facebook, Gmail, Yahoo! sites, Dropbox, Instagram, more) and cheap cloud solutions possible. If companies had to pay Microsoft or other fee-based cryptography providers for the code that’s used on each of its servers, the Internet would look completely different today.
In addition to that, many businesses would be making a lot less money. For example, NetApp, an $11B company, grew from the open-source community. And companies like Cisco and Juniper have embedded OpenSSL into some of their successful solutions. Of course embedding OpenSSL also made those products vulnerable to Heartbleed. Already millions of dollars have been spent dealing with the Heartbleed fallout, making the “free” code anything but. And it’s going to take a while to clear everything up because the OpenSSL code has long tentacles.
The problem of Quality Assurance
So who’s to blame for Heartbleed? A small group of volunteers can’t realistically be expected to provide the same kind of quality assurance processes that a for-profit, revenue-producing organization could provide. OpenSSL isn’t even a product. It’s a crowd-sourced project. And, according to at least one expert, it has not been managed effectively due to funding issues and it probably needs to be replaced entirely.
Ultimately, if your company’s platform is powered by OpenSSL and something goes wrong, you are to blame. You can’t blame the crowd or the volunteer who mistakenly wrote a bad line of code.
Owning the code
If you have people on staff who can confidently handle any issues that come up with OpenSSL, that’s one thing. It’s quite another story if you’re relying on the open-source community to respond to your queries. Often you get exactly what you pay for, and business-class support with 24/7 response isn’t free.
With proprietary software, on the other hand, you get better support, engineers who are employed to work specifically with that software and — maybe most importantly, depending on your business — written warranties and liability insurance. But this doesn’t mean the software won’t have flaws and bugs, too! The developers just have an ecosystem and processes for evaluating and resolving problems with their code (think “Patch Tuesday” from Microsoft).
So when you’re making decisions about using OpenSSL (or open-source anything), consider the entire cost-benefit spectrum and the type of support that’s best for your company.
And if you want to understand how, exactly, Heartbleed broke Internet security for a while, Gizmodo explains it well and provides a great analog analogy at the end of the article.