“Heart blood” OpenSSL exposed defects: manpower shortage of funds


guide language: an article in the Wall Street journal online today in the United States say “heart blood” shocked the Internet vulnerabilities exposed a large soft rib of the OpenSSL: such an important project for many years has always been faced with the plight of financing and understaffed, most jobs are done by digits of volunteers.

the following is the article main content:

this week in the world set off a frenzy of OpenSSL “heart blood” loophole, exposing a weak link in the field of Internet safety: the work is very difficult, but most of the work is only by the four programmers in Europe and the United States, Maryland one former military advisers.

this team is made up of 11 people, but most are all volunteers, and only one person full-time work for it. Their budget is less than $1 million a year, and released on Monday “heart blood” vulnerability is a young German researchers, caused by a not intentional.

“the project of less shocking.” Social security companies in the United States & amp; Scientific Systems, encryption expert Kenneth Wright, said Kenneth White) (” you know, this is one of the most complex communication code on the Internet.”

the OpenSSL project was founded in 1998, the purpose is to provide a set of free encryption tool. After years of development, about two-thirds of the world’s web servers are using this tool. Each big web site, network equipment companies and government agencies are using OpenSSL tools to protect personal information and other sensitive data.

so when Google and Codenomicon revealed hackers may have been obtained with the help of a “heart blood” on Monday after this kind of data, the Internet immediately panic.

in bloomberg on Friday revealed the national security agency (hereinafter referred to as the “NSA”) has been known as early as two years ago this loophole, and to collect foreign intelligence, panic spread further. The NSA, the White House and the United States, however, the office director of national intelligence are denied the report.

“the NSA or other government departments in April 2014, before he was aware of the so-called ‘heart bleed holes, are not true.” The White House national security council spokesman Catherine Hayden (Caitlin Hayden) said.

earlier on Friday, a German programmers to provide voluntary services to the OpenSSL admitted that in 2011 he across the development of the eve of the OpenSSL leaks fixes, inadvertently leads this loophole. The woman named Robin seg, (Robin Seggelmann) programmers, 31, as Germany telecom’s T – Systems. He said in a blog post, many programmers involved in OpenSSL have not noticed the error.

in a complex program, error is inevitable, Microsoft, apple and Google announced several system vulnerabilities every month. But close to the OpenSSL project, he says, is part of the money comes from the outside world, and further deterioration, and the shortage of money led to the issue in two years of time has not been found.

“heart blood” leak triggered another problem: rely on the same whether the Internet should be such a concentration technique to protect the data security. “As long as the technology is too concentrated, that everyone will be because of a loophole in a threat.” Cryptography at Johns Hopkins university expert Matthew (Matthew Green, Green) said.

the OpenSSL project with only a full-time developers: Stephen Henson (Stephen Henson), the 46-year-old British cryptography has a doctorate in mathematics. Two other British residents and a German developer is make up of the project management team.

in the eyes of colleagues, henson, talented, but he is cold, and the work load is too large. When some companies ask him for using OpenSSL free advice, he asks: “if I ask your company for a lot of free advice, you would react?”

the OpenSSL project working mode is as follows: the team continue to improve a called SSL or TLS encryption protocol, to ensure that the hacker can’t read the users to the information in the website. This is now the basis of the widely used software code, is Eric Yang (Eric Young) developed in the 1990 s, he is an engineer in EMC’s RSA security department.

OpenSSL all team from outside the us, the purpose is to avoid advanced encryption technology is limited by arms export laws.

OpenSSL development team of volunteers Geoffrey Thorpe (Geoffrey Thorpe) said that because of his work in a software technology company is very busy, so little time allocated to the project. Who lives in Quebec city, thorpe said: “it’s like clean up sewer, and dirty, and complicated, but a problem before, everything will be taken for granted.”

in the past decade, who lives in the United States department of defense, Maryland, a former adviser Steve marquis (Steve Marquess) through an organization called “OpenSSL software foundation”, raise donations and consulting contracts for the project.

marquis had helped the OpenSSL project came from the U.S. department of homeland security and defense, but he could not confirm the authenticity of bloomberg reported on Friday.

since “heart blood” vulnerability exposure, the foundation of the donations slightly ascending, but most of them still is $5 and $10 small donations. And, more importantly, OpenSSL also need more people for checking code.

Qualys network security companies in the United States, according to their contribution to the OpenSSL software foundation for a small amount of money to work in the security code. Although a company spokesman declined to be specific amount, but said the OpenSSL will it as a “major donors”, shows that its “serious shortage of funds.