Why Despite Heartbleed, Open Source Is Here to Stay

Written by Rita —  May 19, 2014


The biggest security failure in the history of the Internet has put open-source software back on the agenda.

Over the last decade, open-source code has built a strong reputation for being secure and reliable. Open-source software can actually be more reliable than proprietary code because of the Linus’s Law  -named for the creator of Linux, Linus Torvalds, which says that “given enough eyeballs, all bugs are shallow.” In other words. If enough collaborators are looking at the software, bugs and security flaws will be corrected.

The security hole known as Heartbleed, discovered just a few weeks ago, has made millions of people realize what an open-source software called OpenSSL had been doing for them for years.

OpenSSL is an open-source implementation of the SSL and TLS security protocols which secures most of the Internet connections –from online banking and social networks, to email providers. Recently, however, it came to light that an unexpected data leakage from a catalog at the heart of a server had been allowing anyone in the know to access sensitive data virtually on almost any Internet service.

[…] The little lock icon (HTTPS) we all trusted to keep our passwords, personal emails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit.

Tumblr, April 8 2014

Some have speculated that the bug’s age (the vulnerability is only found in a few recent releases) and the fact that it is only present in software which anyone can update suggest that “it could have been inserted and then exploited by government spy agencies such as the US’s National Security Agency, which is known to have programs aiming to collect user data”, as The Guardian pointed out on April 9.

While many Internet companies rely on the free code, its integrity depends on a small number of underfunded researchers who devote their energies to the projects.

In contrast, the NSA has more than 1,000 experts devoted to ferreting out such flaws using sophisticated analysis techniques, many of them classified. The agency found Heartbleed shortly after its introduction, according to one of the people familiar with the matter, and it became a basic part of the agency’s toolkit for stealing account passwords and other common tasks.

Michael Riley, Bloomberg News, April 12, 2014.

The Core Infrastructure Initiative

Heartbleed is not a failure of the open source architecture and there is absolutely no reason to believe that it happened because it was maintained by volunteers. If the OpenSSL software were a piece of proprietary software, we could inculpate the company behind the program. Back in February, when Apple detected its own SSL-TLS flaw, the multi-billion dollar company was investigated by programmers and security experts and programmers a like.

In fact, a recent study driven by Coverity shows that Open Source software has a fewer defect density than proprietary code.

“In 2013, we saw the quality of open source code surpass that of proprietary code at every level. We did not see the same cliff
in terms of quality for projects with more than one million lines of code.”

Coverity Open Source 2013 Report

Captura de pantalla 2014-05-18 a la(s) 13.37.33

Indeed, the volunteering developers maintaining the Open SSL library said they have only received $2,000 yearly to maintain the code. Inspired by this crisis, world’s biggest technology companies have seen an opportunity to set a group that funds open-source programs like OpenSSL.

The Core Infrastructure Initiative is a multi-million dollar project to fund open source projects that are in the critical path for core computing functions.

The Linux Foundation

Early supporters of the project include Amazon, Cisco, Dell, Facebook, Fujitsu, Goole, IBM, Intel, Microsoft, and NetApp, among others.

Each of these companies will donate $300,000 to support development of OpenSSL, as well as to have developers work full time and paying for other expenses, such as security audits or travel expenses.

LibreSSL –an OpenSSL fork

On the other hand, however, a group of volunteers who don’t believe in patching SSL has recently announced their intention to develop a new standard from scratch, rather than patching the holes on the current technology.

This, which would be called a ‘spin-off’ on TV jargon, is known as a ‘fork’ on the programming world — a branch that arises from discrepancies within the developer community regarding the direction that a particular project has taken.

Just as office suite OpenOffice resulted in LibreOffice, so promoters of a new open-source solution for the most used security protocols have created LibreSSL to try and beat OpenSSL.

OpenExpo Day 2014

Fortunately, there are a plenty more open-source and free software initiatives like this going on around the world.

In Madrid, Spain’s capital, the OpenExpo Day Conference will take place on June 26, 2014 with the aim of spreading the use of open-source technology and promoting collaboration and cooperation among open-source initiatives.

This annual 1-day conference gathers developers and entrepreneurs, as well as companies like Joomla, Magento or MOOC. The agenda includes workshops, demos and key international speakers like Firefox, Drupal, and Symfony.

Earlier editions of the event have gathered more than 950 people on-site and over 1,000 online and it can be followed via streaming or the OpenExpo Youtube Channel. This type of event is indeed the perfect place to discuss the corporate incursion in the open-source world and other crucial news in the open-source world. Get your ticket here!

Photo credits: Muffin




Translator, content writer and geeky linguist in general. I believe information is a powerful tool.