How Heartbleed Broke the Internet — And Why It Can Happen Again

It's no surprise that a small bug could cause such huge problems. What's amazing, however, is that the code that contained this bug was overseen by only one full-time paid employee.
Illustration Ross PattonWIRED
Illustration: Ross Patton/WIRED

Stephen Henson is responsible for the tiny piece of software code that rocked the internet earlier this week.

The key moment arrived at about 11 o'clock on New Year's Eve, 2011. With 2012 just minutes away, Henson received the code from Robin Seggelmann, a respected academic who's an expert in internet protocols. Henson reviewed the code -- an update for a critical internet security protocol called OpenSSL -- and by the time his fellow Britons were ringing in the New Year, he had added it to a software repository used by sites across the web.

Two years would pass until the rest of the world discovered this, but this tiny piece of code contained a bug that would cause massive headaches for internet companies worldwide, give conspiracy theorists a field day, and, well, undermine our trust in the internet. The bug is called Heartbleed, and it's bad. People have used it to steal passwords and usernames from Yahoo. It could let a criminal slip into your online bank account. And in theory, it could even help the NSA or China with their surveillance efforts.

>Some of its most important pieces are controlled by just a handful of people, many of whom aren't paid well -- or aren't paid at all.

It's no surprise that a small bug would cause such huge problems. What's amazing, however, is that the code that contained this bug was written by a team of four coders that has only one person contributing to it full-time. And yet Henson's situation isn't an unusual one. It points to a much larger problem with the design of the internet. Some of its most important pieces are controlled by just a handful of people, many of whom aren't paid well -- or aren't paid at all. And that needs to change. Heartbleed has shown -- so very clearly -- that we must add more oversight to the internet's underlying infrastructure. We need a dedicated and well-funded engineering task force overseeing not just online encryption but many other parts of the net.

The sad truth is that open source software -- which underpins vast swathes of the net -- has a serious sustainability problem. While well-known projects such as Linux, Mozilla, and the Apache web server enjoy hundreds of millions of dollars of funding, there are many other important projects that just don't have the necessary money -- or people -- behind them. Mozilla, maker of the Firefox browser, reported revenues of more than $300 million in 2012. But the OpenSSL Software Foundation, which raises money for the project's software development, has never raised more than $1 million in a year; its developers have never all been in the same room. And it's just one example.

In some ways, there's a bug in the open source ecosystem. Projects start when developers need to fix a particular problem, and when they open source their solution, it's instantly available to everyone. If the problem they address is common, the software can become wildly popular in a flash -- whether there is someone in place to maintain the project or not. So some projects never get the full attention from developers they deserve. "I think that is because people see and touch Linux, and they see and touch their browsers, but users never see and touch a cryptographic library," says Steve Marquess, one of the OpenSSL foundation's partners.

Another Popular, Unfunded Project

Take another piece of software you've probably never heard of called Dnsmasq. It was kicked off in the late 1990s by a British systems administrator named Simon Kelley. He was looking for a way for his Netscape browser to tell him whenever his dial-up modem had become disconnected from the internet. Scroll forward 15 years and 30,000 lines of code, and now Dnsmasq is a critical piece of network software found in hundreds of millions of Android mobile phones and consumer routers.

Kelley quit his day job only last year when he got a nine-month contract to do work for Comcast, one of several gigantic internet service providers that ships his code in its consumer routers. He doesn't know where his paycheck will come from in 2015, and he says he has sympathy for the OpenSSL team, developing critical and widely used software with only minimal resources. "There is some responsibility to be had in writing software that is running as root or being exposed to raw network traffic in hundreds of millions of systems," he says. Fifteen years ago, if there was a bug in his code, he'd have been the only person affected. Today, it would be felt by hundreds of millions. "With each release, I get more nervous," he says.

Money doesn't necessarily buy good code, but it pays for software audits and face-to-face meetings, and it can free up open-source coders from their day jobs. All of this would be welcome at the OpenSSL project, which has never had a security audit, Marquess says. Most of the Foundation's money comes from companies asking for support or specific development work. Last year, only $2,000 worth of donations came in with no strings attached. "Because we have to produce specific deliverables that doesn't leave us the latitude to do code audits, security reviews, refactoring: the unsexy activities that lead to a quality code base," he says.

>The problem is also preventing some critical technologies from being added to the internet.

The problem is also preventing some critical technologies from being added to the internet. Jim Gettys says that a flaw in the way many routers are interacting with core internet protocols is causing a lot of them to choke on traffic. Gettys and a developer named Dave Taht know how to fix the issue -- known as Bufferbloat -- and they've started work on the solution. But they can't get funding. "This is a project that has fallen through the cracks," he says, "and a lot of the software that we depend on falls through the cracks one way or another."

Earlier this year, the OpenBSD operating system -- used by security conscious folks on the internet -- nearly shut down, after being hit by a $20,000 power bill. Another important project -- a Linux distribution for routers called Openwrt is also "badly underfunded," Gettys says.

Gettys should know. He helped standardize the protocols that underpin the web and build core components of the Unix operating system, which now serves as the basis for everything from the iPhone to the servers that drive the net. He says there's no easy answer to the problem. "I think there are ways to put money into the ecosystem," he says, "but getting people to understand the need has been difficult."

Eric Raymond, a coder and founder of the Open Source Initiative, agrees. "The internet needs a dedicated civil-engineering brigade to be actively hunting for vulnerabilities like Heartbleed and Bufferbloat, so they can be nailed before they become serious problems," he said via email. After this week, it's hard to argue with him.