Heartbleed was a vulnerability that was found in OpenSSL in 2014. It was a very scary vulnerability because it meant that what we thought was protected by encryption… wasn’t. You can even find exploits for this on github.
Openssl is used all over the place on the Internet, Wikipedia claims that the majority of https websites use it It’s an open source project with a robust group of contributors that keep it running.
OpenSSL, a community project, has become part of the fabric that keeps the Internet secure. It powers https which protects passwords, credit cards, social security numbers, all of that personal information you don’t want to share should be protected by OpenSSL. And it’s that community that keeps it going.
Heartbleed showed to everyone that we’re relying on a product made by a group of people who work together and don’t have a budget to keep things going. It isn’t a company with a product it sells, it’s an open source tool that has become so widespread that vulnerabilities to the tool can affect everyone. We also, as end users, have very little control over this. We could contribute to the project, but we’re still relying on that group of contributors to keep things safe.
Vulnerabilities to software are concerning, especially those that leave us open to attack if they aren’t patched. In this case, the attack is on our privacy, not necessarily on the system itself.
Heartbleed hasn’t been fixed everywhere. Censys.io offers a scan of IPv4 space looking for vulnerable sites. Unfortunately, this isn’t empty.
What can we learn from this? What lessons can we take from this?
Write a column for DTRAP (https://dtrap.acm.org) on the history of Heartbleed and what we can learn from it going forward. Tell us what you think about it.