Did you patch OpenSSL? If not, why are you reading this? Go patch!
For everyone else, go ahead and calm down. Let’s be reasonable here. The danger has passed for now. The real danger here is not even Heartbleed, frankly.
We’re not saying Heartbleed wasn’t dangerous. What we are saying, however, is that the real problem wasn’t the ability to read data from OpenSSL’s RAM cache. The real problem was the fact that an entire world of Web-based computing relies on a project that amounts to little more than four or five people who aren’t paid very much.
The industry needs to support OpenSSL with more resources, more eyeballs, and more developers. As of this writing, the OpenSSL development team consists of 11 people. We’ve heard that only about two of them were actively maintaining the project. This is exactly why the OpenBSD folks decided to turn their gaze upon OpenSSL. The expertise of the OpenBSD team will shine a lot of light into the narrow corners of the OpenSSL project.
But we’ll need more than them. Everyone needs to tuck in and fix OpenSSL. (Perhaps “fix” is not the right phrase for what needs to be done, however. Perhaps the proper word is “advance.”)
A lot of ire came out during the weeks following Heartbleed, and much of it was aimed at the way OpenSSL behaves and how it is designed. One spurious criticism was that C and C++ should not be used for security-critical infrastructure.
That’s no solution, and we’ve all known how to develop securely in C for many years. Often exploits come from lazy coding, not the fact that the language does not support memory management.
A far more coherent argument reasons that OpenSSL is extremely old, TLS is obtuse, and when combined, these two elements make for a terrible development experience.
It is the frustration from dealing with inhospitable programming paradigms that leads to developers not implementing encryption properly, or to their sloppy coding.
But there is no excuse for this particular bit of sloppy coding. The Heartbleed attack was a serious wake-up call for the industry. We’re sincerely hopeful that the open-source community, like OpenBSD, can pitch in and advance OpenSSL so that it can catch up to the rest of the world in terms of security, ease of use, and reliability. But that’s the thing about open source, isn’t it? If one of the cornerstones of our industry crumbles, it’s our own fault.