Blog Post

Open source software is more secure, right? So what happened with OpenSSL?

One of the benefits often cited for the use of open-source software is that because it is so widely available and open to review by developers, any security flaws will be caught sooner than with closed, proprietary systems. This week’s near-panic around the Heartbleed flaw in OpenSSL open-source encryption software, calls that contention into question. When you have internet security czars tell people to “stay off the internet,” there’s a problem.

The vulnerability, which afflicted popular web sites and networking gear from Cisco(s csco) and Juniper(s jnpr), has been around for more than two years but was brought to light by researchers at Google(s goog) and Codenomicon early this week. That’s a long time.

But the German programmer who claimed responsibility for contributing the flawed code in late 2011 told The Guardian that he, not the open source model is to blame. Robin Seggelemann said his update did what it was supposed to do — enable the “Heartbeat” feature in OpenSSL — but also accidentally created the vulnerability that caused all the hubbub.

Seggelemann said he “wrote the code and missed the necessary validation by an oversight. Unfortunately, this mistake also slipped through the review process and therefore made its way into the released version.”

So why did the resulting vulnerability stay under the radar for so long?  Because, in his view, OpenSSL, while widely deployed, is also under-funded. OpenSSL is “definitely under-resourced for its wide distribution. It has millions of users but only very few actually contribute to the project,” he told the Guardian.

And that brings us back to the question of whether open-source software is always best compared to company-funded-and-supported commercial (paid) software. It’s good to debate the issue, but given the traction that Linux, Apache and perhaps OpenStack have gotten, this horse may have left the barn. And remember, commercial software companies haven’t exactly covered themselves in glory with regards to security. Most notably, security giant RSA reportedly shipped encryption software with a known backdoor.

25 Responses to “Open source software is more secure, right? So what happened with OpenSSL?”

  1. TeaPartyCitizen

    You’re missing the point! SSL is an algorithm, a blueprint, if you will. Developers are like construction workers building what is on the blueprint. If a carpenter forgets a nail does not mean hide the blueprint.

  2. If this was closed-source software, no bug would have been admitted until absolutely necessary, reporters would possibly be sued or otherwise silenced if it was deemed cost effective, and any patch (assuming the company was still in business) would possibly be for binaries only, only for select platforms, and the bug would still be present anywhere that was not financially viable to fix.

    For a higher price and a support contract you could possibly pay for support of unsupported or outdated releases.

    It is heavily biased to blame open source — how many companies use open source software, without contributing a dime or any code back?

    The lesson to be learned is “mooch forever, and bugs will not magically fix themselves.”

    Any code or library should not be blindly trusted and incorporated into a system without review. That goes for any software.

    Why did so many companies use this code blindly, without conducting a proper review?

    Could it be they were leeching onto open source for cost reasons, hoping the “community” would mysteriously fix things for them?

    I believe openssl has asked for financial support because so few resources get thrown at it despite it being heavily used by many companies and products.

    I would imagine the people acting surprised at this are those who shamelessly use open source software without contributing anything back.

  3. Nicole King

    Thank heavens that openssl *is* open! Had it been closed source, it would not have been available for for audit and such an error might not have been found.

  4. Nick Gentile

    Seriously? Sad day to see this on GigaOM. I believe you need to start reading, from the day Yuri Gagarin hopped into space to how we got here, and maybe then, in the middle of that reading you will realize how inapplicable this question is. Very moot post.

  5. I’m confused, all of my android devices are vulnerable, but heartbeat is not enabled on any. Is this a 2 way handshake? If the device side is not enabled does it obviate the server side. I’m just a simpleton trying to wrap my head around this issue.

    • TeaPartyCitizen

      It occurs when a bad guy targets your device or then your device connects to a bad guys site but I think that Android avoids this problem except 4.1.1 in a limited way.

  6. My Debian-based system just got an update with the fix for this. You can’t beat that with any other OS. You’ve probably seen the XKCD explanation by now ( This provided a memory dump. An attacker would have to plow thru a lot of junk to find passwords or CC#’s in that.

  7. Only someone who cannot READ or UNDERSTAND code will write an article like this or raise a question like this. Because this was opensource everyone could see exactly what the problem was and could make an educated guess on what the problem was. Try that with closed source product.

  8. Gil Yehuda

    Excellent points raised. Software has bugs. So does open source software. It’s not fundamentally more secure, but it’s fundamentally easier to become more secure. That does not make it risky to use open source, but risky to assume a false sense of quality. As we leverage the work that others share, we are motivated to give back with automated test results, code bug fixes, and funding to those projects that we rely upon. This is a painful lesson given the challenges this week with this bug, but the call to action is one worth sharing. Thanks,

  9. Srikanth Remani

    Most of the open-source software would be well funded if 1% of the users contributed something I mean just a dollar, this is a serious issue – corporations using Open Source software are better served if they made decent donations for those projects both monetary and/or human, without it we rely on enthusiasts and enthusiasm has a habit of waning over time.

    • Christopher Stith

      That depends. Are your mail servers using OpenSSL with TLS heartbeat enabled in the build? If you don’t know then ask your provider or sysadmin. If the responsible party doesn’t know then you have a bigger problem.

  10. thatbrentguy

    Perhaps someone can describe how a closed-source solution would have fared in the same case, whereby a programmer inadvertently inserts a bug, it passes review, and is released in a stable product.

    Would the company assign resources to ongoing review of the code for security bugs, years after its release?

    Would those resources be selected from the original developers or different people than the programmer/reviewer who missed it in the first place?

    If the company were to discover the flaw and release a patch, would any of their customers ever know that they had been vulnerable? Would the company risk torpedoing its market share by calling for global certificate renewal?

    In the case of OpenSSL, I believe we are all far better off for having had the problem uncovered publicly and knowing the full scale of the implications than if there had been a similar issue in a closed box, whose bug and implications might have remained hidden from everyone but those who wanted it to remain unknown.

    • slidnbob

      I think you missed the point a bit. The claim is that open source software is safer than commercial software. The point is that this bug demonstrates that the claim cannot be fully true. The details show that open source software suffers from the same human frailties as commercial software. And, having worked on operating system software for many vendors and more years than I would like to admit, the answer is “yes” to your questions.

      • Scrotum

        I think you’re missing the point. All software has bugs, as you concede above. This bug was only found because an outside developer was looking at the code, something that wouldn’t have happened if this was proprietary software.

      • TeaPartyCitizen

        You’re missing the point! SSL is an algorithm, a blueprint, if you will. Developers are like construction workers building what is on the blueprint. If a dumb ass carpenter forgets a nail does not mean hide the blueprint.

  11. Tal Klein

    Security is just the science of convincing an opportunistic threat actor that you are harder to crack than your neighbor. The underpinnings of security through obscurity (RSA/NSA or Apple GoToFail) or opensource (OpenSSL) are both susceptible to human error. The benefit of security through obscurity is that there are less eyes on the code, and the benefit of opensource security is that there are more eyes on the code. :)