The heartbleed bug is the single biggest f*ckup in the history of the Internet.
For anyone that doubts the veracity of this claim let me state the plain and simple facts:
Since December of 2011 any individual with an Internet connection could read the memory of maybe half of the “secure” Web servers on the Internet.
For the layman, reading the memory of a Web server often means being able to read usernames, passwords, credit card numbers and basically anything else that the server is doing.
For over two years we’ve all had our pants down and no one even noticed.
Open Source Failed
For most developers, myself included, open source has been a mythical paradigm shift in software development that should be embraced without question.
What of bugs? There’s a famous adage about bugs in open source:
Given enough eyeballs, all bugs are shallow
Applied to this case, the buffer overflow in the hearbeat protocol should have been easily found by someone. But it wasn’t.
After the heartbleed bug, can this statement of open source fact still be considered valid? What does it mean to have eyes on code.
If I wanted to look at the code for OpenSSL, I could have. Guess what? I never did, and I would bet that most of the people reading this article didn’t either.
The Ultimate Humiliation for Public Key Infrastructure
It’s long been known that our current public key infrastructure was horribly broken. Mostly, proven by numerous compromises of the supposed “sources of trust”, the certificate authorities.
Broken and run roughshod over by the likes of the NSA, hackers and other government agencies over the globe.
This latest episode is really just icing on the cake. Not only are the private keys of “secured” servers up for grabs, but so is their most sensitive and personal data.
I think it’s time we as an industry take a good hard look in the mirror, and reevaluate… everything.