Heartbleed ‘exacerbated’ by OpenSSL Foundation’s pursuit of consultancy gigs

Heartbleed was exacerbated by a chronic neglect of OpenSSL by its supporting foundation as it pursued lucrative contracts, according to Bob Beck, director of the OpenBSD Foundation (OBF).

Beck accused the OpenSSL Software Foundation (OSF) of neglecting the technology, adding new features in preference to fixing existing code and in the process discouraging outsiders from becoming involved with the project.

Criticising the way the technology handled memory allocation, Beck said: "It could not have been designed better to make an attack like Heartbleed both hard to detect, and have dire consequences."

Developers from the OBF are working on replacement for OpenSSL called LibreSSL, a decision Beck claims was sparked by the old technology’s poor memory allocation, rather than the discovery of the Heartbleed bug.

The OBF aims to preserve compatibility with OpenSSL, while enticing more people to work on the codebase and modernise the coding. The foundation is currently seeking funding for their project, which it hopes to maintain alongside its existing commitments to other open-source software.

"Horrible code actively discourages outside involvement," Beck said. "The barrier to entry for other developers is too high. Everyone looks at it, and goes back to doing their own stuff, hoping like heck that the upstream maintainers know what they are doing and care.

"I honestly think a lot of it is not necessarily deliberate incompetence or malice, it’s just a case of the codebase starting to go that way and nobody put the time and effort in to fix it, and nobody had enough of a strong hand to say ‘This can’t stay this way’.

Heartbleed attained notoriety last month when it was revealed that OpenSSL had made clients and servers vulnerable to eavesdropping for at least two years.

The bug affected many of the world’s biggest tech companies, including Facebook, Google and Yahoo, and is thought to have afflicted half of all web servers, equating to more than half a billion websites.

"We’ve got a very good start on cleaning it up, it’s certainly a lot better than it was a month ago," Beck added. "We know where we want to go with this, and we want to bring the rest of the community with us."

According to its website, the OSF offers consultancy services for $250 per hour, with annual support contracts charged at upwards of $20,000. It does not provide free consulting support.