The OpenSSL project describes itself as “a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library.” The softare developed by OpenSSL can be freely adopted by server users and operating system developers to implement SSL without having to pay royalties to commercial firms.
In early April security specialists at Google and Codenomicon, a Finnish computer security firm, independently identified a vulnerability in the OpenSSL Heartbeat software that could allow accessing of cryptography keys, compromising the security of websites using the software. The flaw was significant because it had existed for two years and did not leave a trace if it was exploited. The last two weeks has seen hurried upgrading of systems to close the vulnerability and widespread requirements for users to recreate passwords. Codemicon gave the the catchy name Heartbleed, set up its website and gave it a logo; by now it probably has its own Twitter and Facebook pages so that you can “follow” or “like” it.
The number of websites affected is a graphic illustration of the success of open-source software; but the bug also demonstrates the potential operational risks for users of depending upon software developed in non-commercial communities. The coding error was introduced into the coding by Dr Robin Seggelmann and was only checked by one person, who missed spotting it, before it was circulated to the world. The code with the vulnerability was freely available, so it shows the confidence, or appetite for risk, of commercial users of the software that no-one spotted the bug in two years. Of course no-one can be sure that the vulnerability was not spotted by people who quietly exploited it, whether criminals or security agencies