As users of the internet, and dependants on its security, we should note the following to be learned from the HeartBleed weakness in OpenSSL:
- Very Large corporations and government functions, such as CRA (Canada’s federal Canada Revenue Agency, our tax collector) use free software without having it audited.
- Those same Very Large corporations don’t hire a ‘black hat’ person to try to intrude, or to look at the source code. (I point out that the source code is ‘open source’, available for anyone to read who understands the programming language.)
- Apparently, the NSA (National Security Agency, USA) knew about this bug. Persistent rumours fly that it was used by them for two years to spy on any ‘interesting transactions’ that were thought by their users to be secure.
- Despite the common-ness of the code, relatively few corporations took the step that CRA did, of shutting down their websites until a fix was installed.
- In Canada, CSEC (Communication Security Establishment Canada) knew of the bug for a full day before informing anyone. Let’s hope they informed all websites before telling the public.
Let me come back to the point about free software. I use free software, lots of it. I use free software to detect viruses and spyware in other free software. I do not have any of your records on my computer. Large government agencies, and large corporations, do. They can afford to at least test the free software they use, to audit and black-hat check it.
The final lesson: you are not secure. Potentially buggy software, with accidental or created weaknesses, may be running your next financial transaction. You are wearing the emperor’s new clothes: ‘He ain’t got no shield on.’