Experts disagree over the potential impact of Heartbleed. Many worry about the sheer ubiquity of OpenSSL code – which serves as the encryption platform for many Android devices plus over two-thirds of the Internet – and has been adopted by companies like Amazon, Facebook, Netflix and Yahoo. Government entities like the F.B.I. and the Pentagon also rely upon OpenSSL. Two weeks ago, the Canada Revenue Agency announced that its website was attacked with Heartbleed over a six-hour period, during which the information of approximately nine hundred Canadian taxpayers was stolen.
Some experts indicate that the Canada Revenue Agency incident was unique – a foreseeable result of Heartbleed’s powerful zero-day exploit – and that Heartbleed will not be used to steal mundane passwords or other such data. But apart from costs related to stolen data, Heartbleed-related costs will accrue from tasks like building and implementing patches, scanning for risk, resetting passwords, and certificate revocation bandwidth. The last item alone might amount to “millions” – whereas the costs of resetting passwords and general Heartbleed-induced panic are even harder to estimate, and thus might be too easily dismissed.
Using password managers like 1Password plus browser extensions like Chromebleed could help individual users evade Heartbleed and other such bugs for the short term. So would changing passwords on any websites stating that 1) they are no longer vulnerable to Heartbleed and that 2) they have changed the private encryption key they use to protect HTTPS traffic. Widespread adoption of two-factor authentication processes is an adequate “medium term” solution. But preventing Heartbleed-like bugs for the long term cannot be accomplished through easy fixes.
Long-term solutions include abandoning OpenSSL altogether in favor of private-market equivalents, and ensuring that OpenSSL receives a steady influx of funds and manpower. The first option appeals to commentators who believe that OpenSSL contributors, as unpaid volunteers, are simply under-incentivized to check for Heartbleed-like errors – an allegedly grueling and monotonous task, which earns them neither bonuses nor pink slips.
However, some economists argue that open source programmers largely operate within a gift economy, wherein notions of contribution, community, honor and prestige are powerful motivators. Pure altruism and “reciprocal altruism” – the belief that other programmers will likewise share their valuable solutions – are two other weighty yet oft-overlooked motivators.
Other economists note that unpaid participation in the open source community still yields commercial rewards in the labor market, such as job offers or attention from venture capitalists. And a recent Linux Foundation survey indicates that nowadays, contributing to open source projects has become a job requirement for many programmers at companies like IBM, Intel, Google, and Samsung.
So perhaps open source advocates are right – OpenSSL contributors are under-funded, not under-incentivized. After all, OpenSSL has thus far survived with under $2000 in yearly donations whereas Linux – widely touted as an open source triumph – regularly garners over $500,000 in donations per year. With a fitting budget, OpenSSL could thrive like Linux and prevent other Heartbleed-like outbreaks.
Thankfully, last week, the Linux Foundation announced a three-year, multi-million dollar initiative to help under-funded open source projects, including OpenSSL – which can now afford to conduct security audits, enable outside reviews, and hire more than one full-time developer. The Core Infrastructure Initiative should prove successful precisely because Linux Foundation leaders promise to respect OpenSSL community norms and preserve OpenSSL’s autonomy.