A security flaw affecting two thirds of websites is a reminder that the Web relies on a poorly resourced open source project.
Late yesterday we learned that a two thirds of the world’s websites have a major security vulnerability that could be used to crack encrypted connections and steal user passwords or a company’s encryption keys. The news set system administrators for the estimated 117,000 servers affected (including at major companies like Yahoo) scrambling to roll out a fix. It is also leading some people to ponder why the widely-used software in which the critical bug was found doesn’t get better support.
The Heartbleed bug, as it is known, is a small flaw in a version of an open source package calledOpenSSL. It’s used by Web servers to offer encrypted “TLS” connections that appear to users as a padlock and “HTTPS” prefix in a browser’s address bar and are used to protect online banking and other private communications.
There are alternatives to OpenSSL but it is by far the most widely used software for the job. Most websites use it to protect their data and that of their users. Yet the OpenSSL project is mostly run by volunteers. It relies on donations and unlike some other open source project has no corporate sponsors.
It’s impossible to say if more funding would have prevented the Heartbleed bug. But some security experts see the incident as a reminder that what is essentially a critical part of the Web’s infrastructure seems to lack appropriate support from those who rely on it.
Written By: Tom Simonite
continue to source article at technologyreview.com