Tough Love for the Encryption Software That Was Compromised by Heartbleed

Future Tense
The Citizen's Guide to the Future
May 29 2014 7:09 PM

Tough Love for the Encryption Software That Was Compromised by Heartbleed

138753034-participants-play-computer-games-at-the-it-event-5th
We all use OpenSSL whether we know it or not.

Photo by YASUYOSHI CHIBA/AFP/Getty Images

The Linux Foundation, which supports the Linux operating system and other open-source projects, is giving the open-source encryption protocol that contained the Heartbleed vulnerability some tough love. The foundation is funding an audit of OpenSSL's code and also paying the salaries of two programmers who will work on OpenSSL full time.

Previously 10 volunteers devoted significant time to OpenSSL, and only developer Stephen Henson was full time. In hindsight this seems like a paltry team given that OpenSSL has been and continues to be ubiquitous. OpenSSL, or Secure Socket Layer, is a cryptographic protocol that secures interactions like online banking and many communication services. When you see the “https” prefix on a URL that’s OpenSSL at work. Henson will receive one Linux Foundation grant along with Andy Polyakov.

Advertisement

The OpenSSL project is part of a new broader effort called the Core Infrastructure Initiative that will give attention to underresourced, but valuable open source products. As the Linux Foundation's announcement explains:

The computing industry has increasingly come to rely upon shared source code to foster innovation. But as this shared code has become ever more critical to society and more complex to build and maintain, there are certain projects that have not received the level of support commensurate with their importance. CII changes funding requests from the reactive post-crisis asks of today to proactive reviews identifying the needs of the most important projects.

The project is being backed by large tech companies like Adobe, Amazon Amazon Web Services, Cisco, Facebook, and Google. Ars Technica reports that the companies are all giving at least $100,000 a year for three years. So far the Linux Foundation has raised $5.4 million over the next three years. And OpenSSL is also still collecting donations through the OpenSSL Foundation. Maybe open-source code makeovers will be the next big reality show. OK, probably not.

Future Tense is a partnership of SlateNew America, and Arizona State University.

Lily Hay Newman is lead blogger for Future Tense.

  Slate Plus
Working
Nov. 27 2014 12:31 PM Slate’s Working Podcast: Episode 11 Transcript Read what David Plotz asked a helicopter paramedic about his workday.