View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Heartbleed ‘exacerbated’ by OpenSSL Foundation’s pursuit of consultancy gigs

OpenBSD director Bob Beck criticises group for not maintaining code.

By Jimmy Nicholls

Heartbleed was exacerbated by a chronic neglect of OpenSSL by its supporting foundation as it pursued lucrative contracts, according to Bob Beck, director of the OpenBSD Foundation (OBF).

Beck accused the OpenSSL Software Foundation (OSF) of neglecting the technology, adding new features in preference to fixing existing code and in the process discouraging outsiders from becoming involved with the project.

Criticising the way the technology handled memory allocation, Beck said: "It could not have been designed better to make an attack like Heartbleed both hard to detect, and have dire consequences."

Developers from the OBF are working on replacement for OpenSSL called LibreSSL, a decision Beck claims was sparked by the old technology’s poor memory allocation, rather than the discovery of the Heartbleed bug.

The OBF aims to preserve compatibility with OpenSSL, while enticing more people to work on the codebase and modernise the coding. The foundation is currently seeking funding for their project, which it hopes to maintain alongside its existing commitments to other open-source software.

"Horrible code actively discourages outside involvement," Beck said. "The barrier to entry for other developers is too high. Everyone looks at it, and goes back to doing their own stuff, hoping like heck that the upstream maintainers know what they are doing and care.

"I honestly think a lot of it is not necessarily deliberate incompetence or malice, it’s just a case of the codebase starting to go that way and nobody put the time and effort in to fix it, and nobody had enough of a strong hand to say ‘This can’t stay this way’.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Heartbleed attained notoriety last month when it was revealed that OpenSSL had made clients and servers vulnerable to eavesdropping for at least two years.

The bug affected many of the world’s biggest tech companies, including Facebook, Google and Yahoo, and is thought to have afflicted half of all web servers, equating to more than half a billion websites.

"We’ve got a very good start on cleaning it up, it’s certainly a lot better than it was a month ago," Beck added. "We know where we want to go with this, and we want to bring the rest of the community with us."

According to its website, the OSF offers consultancy services for $250 per hour, with annual support contracts charged at upwards of $20,000. It does not provide free consulting support.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.