OpenSSL, the fundamental layer of encryption used by major websites around the world, was found to be flawed. Through a specific type of attack, a victim’s personal data including passwords, financial credentials could be stolen.
While the discovery of a vulnerability in OpenSSL didn’t come as much of a surprise to those who work in the security industry – after all, completely secure code is a rarity. Instead, the shock was the extent of the vulnerability, with around 60% of the entire web at risk.
Now, a year on, I’d love to be able to say that we’ve learned many lessons from Heartbleed and that the web is now a more secure place. Sadly, it’s not as simple as that.
Public awareness remains a major issue for Internet security. Recent research from password security developer Dashlane indicates that a year on, 86% of American's have not heard of Heartbleed.
Dashlane spoke to AVG's Chief Strategy Officer, Todd Simpson, about their results.
[st_video template="BC1" Title="The State of Online Security One-Year After Heartbleed" Link="https://www.youtube.com/watch?v=MEaX2tjUxQE"]
However, awareness is just one issue. Months after Heartbleed broke, I wrote of several further vulnerabilities in OpenSSL that had also emerged. Although each vulnerability discovered is theoretically a vulnerability fixed, it highlights the fact that this is still much work to be done. This is particularly true of open source software.
Open source software has several major benefits and will be around for a long time yet, but vulnerabilities such as Heartbleed demonstrate that there is risk and responsibility for all of us to protect the systems we have come to rely on.
Why has there been so little progress in securing OpenSSL and similar open source systems since Heartbleed appeared?
In my opinion, the issue lies within the very nature of open source software. OpenSSL is incredibly useful and has been adopted throughout the world, but how many people pay for OpenSSL, or donate time and money to keep it functional and secure? Not so many.
The OpenSSL Project does a great job finding and fixing vulnerabilities when they appear but in order to truly move the dial for Internet security, we need more investment.
Right now, the hands of the world’s online safety is in the hands of only a few coders working in small teams. That simply won’t do.
In April last year I wrote a blog highlighting a number of ways that we can all work together to improve the security of open source software.
Ultimately, it comes down to the fact that vulnerabilities will always exist; it’s up to all of us to take responsibility for our security.