It's Not A Fun Week To Work at OpenSSL, The Mostly Volunteer Project Responsible for the Heartbleed Bug

Friday, April 11, 2014 - 12:15 PM

A rendering of the Heartbleed bug.

Until earlier this week, it's likely that most internet users had never heard of OpenSSL. But thanks to the Heartbleed bug, which put all manner of usernames and passwords at risk, the OpenSSL project is coming under some serious scrutiny. To understand how the Heartbleed bug happened, it's important to understand how the OpenSSL project works.

The OpenSSL project has been around since 1998. Since the project is open source, it is an informal group comprised primarily of about a dozen members throughout the world, most of whom have day jobs, and some of whom work on a volunteer basis. Being open source, the OpenSSL project's code has always been public facing. Any person could download it and modify it or implement it in their own software.  

In 2009, Steve Marquess co-founded what is called the OpenSSL Software Foundation, which essentially exists to manage commercial relationships for OpenSSL and make sure the project remains funded. "I consulted for years doing information assurance for the Department of  Defense," said Marquess, in a phone interview today. "During which time, as part of that work, I came to understand how important OpenSSL is, how widely it's used, and what a limited, small and resource limited group was handling this critical piece of software. And I wondered what could I do about it?"

Marquess says that even though he is managing the money for the OpenSSL project, it's not as though there are a ton of resources to spread around. He says that last year, the OpenSSL Software Foundation brought in less than $1 million. "I refer to it as a low overhead operation," says Marquess, wrly. "The fascinating, mind-boggling fact here is that you have this critical piece of network infrastructure that really runs a large part of the internet, and there's basically one guy working on it full time."

The reason that most non-tech people haven't heard of OpenSSL before now is simply that it's not something an end user comes in regular contact with. It's like an car's alternator. The car won't run without it, but until it breaks, you have no idea it exists. "It's a serious bug, and I think that part of the reason there's so much criticism is just because OpenSSL for so long, and as widely used as it is, has had such an excellent track record of being secure."

What happened was that over two years ago a volunteer - one who isn't even a member of the OpenSSL project - submitted a line of code with an error in it that was not caught during review, and was eventually implemented. It wasn't until recently that the error was caught by a couple of people reviewing the code, and discussions on how to roll out the fix began.

In the resultant fallout, coders associated with the project have been hounded by the press, maligned on the internet, and the coder who wrote the error has been accused of doing so purposely. Though not a coder himself, Marquess was outspoken in his support for the group. "Imagine that you're one of these developers that works on open SSL," says Marquess. "You know this software goes into firewalls, it goes into gateways, it goes into weapons systems, it goes into spacecraft. And you're working on it day after day with this extremely complicated code and you're committing changes. Knowing at any point in time a bug like this could surface and you would be responsible. I tell ya, that takes nerves of steel to deal with that kind of situation. That's pressure I couldn't deal with, and I think the average man on the street could not handle that kind of pressure."

Still, Marquess says that the fallout from Heartbleed has definitely taken its toll. "I think the best way to describe how these guys feel - this is my personal perspective - how these guys feel, is imagine that you're a surgeon. And day in and day out you operate on people. You save lives and you do good works, and one day something goes wrong in the operating room and a patient dies. even if it's not your fault - keep in mind this bug was not coded by anyone on the OpenSSL team - you're still going to feel terrible that it happened."


More in:

Comments [2]


Intel have a new bug of their own in some of their Ivy Bridge processors. The RdRand instruction is broken with implication for internet security. They are so arrogant that they won't even recall or replace the affected chips.
Anyone who is providing code for free is stealing money from people who are trying to provide for their families and children. I don't think it is a great idea. It results in extremely eccentric and peculiar code that is often addressed to psychological needs of the writer rather than the needs of the end user.

Apr. 19 2014 09:30 AM

You may not have written the code, but you verified it, integrated it, and tested it. Shifting the blame is not possible.

Apr. 11 2014 10:40 PM

Leave a Comment

Email addresses are required but never displayed.

Supported by

Embed the TLDR podcast player

TLDR is a short podcast and blog about the internet by Meredith Haggerty. You can subscribe to the TLDR podcast here. You can follow our blog here. I tweet @manymanywords and @tldr.

Subscribe to Podcast iTunes RSS