#heartbleed Openssl needs a real investment if it wants to stay important

"The OpenSSL team, which is surprisingly small, has been given the task of maintaining the world's most popular TLS library. It's a hard job with essentially no pay. It involves taking other folks' code (as in the case of Heartbeat) and doing a best-possible job of reviewing it. Then you hope others will notice it and disclose it responsibly before disasters happen," noted Matthew Green, a cryptographer and research professor at Johns Hopkins University.

"The OpenSSL developers have a pretty amazing record considering the amount of use this library gets and the quantity of legacy cruft and the number of platforms (over eighty!) they have to support. Maybe in the midst of patching their servers, some of the big companies that use OpenSSL will think of tossing them some real no-strings-attached funding so they can keep doing their job."

Google has recently started a Patch Rewards Program to reward researchers who aim to "improve the security of key third-party software critical to the health of the entire Internet" with "down-to-earth, proactive improvements that go beyond merely fixing a known security bug." The program includes many open source projects, including OpenSSL.

The thing is, as Paul Roberts notes, this situation is "a plain reminder of the extent to which modern, IT infrastructure has become dependent on the integrity of third-party code that too often proves to be unreliable. In fact, Heartbleed and OpenSSL may end up being the poster child for third-party code audits."
http://www.net-security.org/secworld.php?id=16678

if there is no real investment from those firms like Google who are making billions for their investors but are using lousy free software to cut costs than this is not worth the risk

the idea of OpenSource was not that or should not be that - people working for free to keep the internet cheap and secure and creative while the biggest firms are just abusing it to make more money profiting without giving anything substantial back

maybe they should 'patronize' a few projects like that or they should take x percent of the business versions of the software so that they are sure to have enough income from that to be able to give a solid and secure free version

The comments are closed.