Why Heartbleed did not harm open source

Unless you live in a cave, Victorian style external toilet or Bear Grylls style treehouse in the Outer Hebrides it is safe to say you will have read about the Heartbleed bug.


The Heartbleed bug is an OpenSSL cryptographic library flaw that allows attackers to steal sensitive information from remote servers and devices and is said to have affected nearly two-thirds of websites.

Because of the bug, many say that secure connections can no longer be regarded as trustworthy, since hackers can access and view user IDs and passwords, or worse, the private encryption keys that secure all connections.

CEO of open source middleware company Talend Mike Tuchen says that a lot of the coverage to date has highlighted how small and underfunded the OpenSSL team is, and how this “volunteer” approach to open source development can cause problems.

Reading many of the commentaries, one could easily come to the conclusion that a proprietary approach would be better he argues.

But did the open approach ultimately actually protect us?

Tuchen argues that in reality, he believes the open source nature of OpenSSL has actually provided real benefits in this situation.

“The community scrutiny of the open source code worked,” he said.

Talend’s Tuchen argues as follows:

After the Snowden disclosures researchers began focusing on widely used cryptographic components to look for weaknesses. As a result of this action, public scrutiny the flaw was discovered independently by two researchers, within a month or so of one another.

The cooperative nature of open source worked.

If this stack was closed source, the flaw might have been found by any number of malicious parties but never disclosed.

In addition, all of the public scrutiny on OpenSSL has also uncovered other potential issues that would never have been found if it wasn’t open source, for example a custom buffer allocation approach that bypasses some of the advances in buffer management in the underlying operating systems.

At the end of the day, with a closed source approach, this security flaw would might never have come to light publicly — as widespread as the problem has been, it’s almost certainly better than the alternative.