One of the interesting aspects of Heartbleed are some of the criticisms of OpenSSL, the relevant developers, and open source.
Isn’t this the fault of the OpenSSL developers?
Yes, but …
Whilst it is very easy to blame the OpenSSL developers, and ultimately they were the ones who made the mistake of introducing this vulnerability, it is not quite that simple.
What has become clear is that the OpenSSL is chronically underfunded with less than four active developers (only one of whom is full time). This is despite the fact that OpenSSL is probably in roughly 1/2 of all software products including products from technology giants such as Cisco, IBM, HP, Lenovo, etc.
If OpenSSL is underfunded, everyone who makes use of the library in their products should look into why they should not be contributing towards the product. Surely every one of the technology giants could afford to contribute the cost of one developer each towards the project?
Isn’t this the fault of the open source methodology?
Every time a vulnerability crops up, someone blames the development model for the vulnerability. But when you come down to it, both open source and closed source projects contain vulnerabilities.
In theory it is possible for open source to be more secure. Because the source code is publicly available, it can be audited by independent researchers. And that is effectively what seems to have happened – a Google researcher found the vulnerability and informed the OpenSSL developers of the problem.
What went wrong is that the audit happened after the release of the code. To be more secure than closed source, open source needs to be audited before the code is released. Perhaps some automated system that checks every code check in.
Is it the fault of the C programming language?
No, it’s the programmer’s mistake.
But C does make it easy to make mistakes with memory handling although we have to remember that half of this bug was a different sort of mistake – trusting user supplied data. And no matter what kind of language you are using, if you trust user supplied data then attackers everywhere will be chortling.
Back to C’s memory handling. C is a very old programming language and expects the programmer to safely deal with memory management. The best programmers can do this safely, but even those programmers have the occasional Friday afternoon and most programmers are not that good.
A more modern system programming language such as Go or Rust would be very helpful in reducing the possibility of certain types of errors, and there’s a great deal to be said for switching to one or other.
But OpenSSL is written in C, and switching now would be very difficult especially as the OpenSSL library needs to maintain compatibility with hundreds or thousands of programs written to call functions within a C library. Even if that compatibility problem were overcome, rewriting OpenSSL in some other language is an enormous amount of work which is hard to do with just four developers.