Who Should Pay To Keep The Internet's Locks Secure? | WAMU 88.5 - American University Radio
Filed Under:

Who Should Pay To Keep The Internet's Locks Secure?

Play associated audio

The encryption code unlocked by the Heartbleed bug last week provided vital security for some of the most widely used websites on the Internet. Fortune 1000 companies rely on the open source code for their core business. But it turns out no one is paying for it.

The software that got infected — and later fixed — is OpenSSL. It's supposed to be the really safe, secure road on the Internet superhighway, where messages get encrypted and sent between users and servers. But the recent bug was like a gaping pothole.

The volunteer team at the OpenSSL Foundation couldn't catch it because there aren't enough of them to look. The group's founder, Steve Marquess, says only one person works solely on the software. "Everyone else has outside obligations," he says.

The group gets some money in corporate contracts. "Rather quite a bit — under $1 million," he says. But that's for company-specific work. In 2013, the group got just $2,000 for upkeep.

After news of the bug broke, one person on a popular tech forum joked the software could raise more money panhandling in a big city than it's gotten online.

Ed Felten, a computer scientist at Princeton University, says OpenSSL is like public infrastructure without a tax base. It's open source — meaning anyone can use it for free — but it's so poor, it's never had a complete security audit.

Two-thirds of websites rely on OpenSSL. In economics, these users are called free riders.

"A free rider problem means that someone can benefit from a project or a technology without contributing back to it," Felten says.

High-tech companies are keeping quiet about the software's financial woes. Facebook and OKCupid did not respond to NPR's inquiry. Yahoo, Amazon and Google declined to comment. Cisco did disclose it does not gives checks to OpenSSL, but the company's employees do actively help with code.

Many cybersecurity experts, including Felten, say that's not enough.

"Somebody needs to be paying and putting in the work to ensure that components like OpenSSL are secure. It's a job that some of the large companies could do individually and get together and do," Felten says.

David Chartier, CEO of Codenomicon, the company that found the Heartbleed bug, says the crisis is not a cautionary tale in free riders and corporate accountability. Software — public or private — will always have bugs, and people have to come together as a team to deal with it.

"Never before have we seen the security community, and the general public together along with media move so quickly to get the word out," Chartier says.

There is another silver lining. Marquess says since the bug was revealed, his group has gotten about $10,000 in checks.

"What I think is remarkable about that is so many come from around the world, places like Micronesia, the Netherlands, Taiwan, typically in $5, $10, $20 amounts," Marquess says.

But given all the traffic on OpenSSL, that still doesn't cover the cost of maintenance, he says.

Copyright 2014 KQED Public Media. To see more, visit http://www.kqed.org.

NPR

Weekend Musher Finds Dogs Keep Her Hanging On

Julia Bayly of Fort Kent, Maine, works as a reporter at the Bangor Daily News. Her passion outside of work is dog sledding. It's the latest installment in our hobby series "Alter Egos."
NPR

Real Vanilla Isn't Plain. It Depends On (Dare We Say It) Terroir

There's no such thing as plain vanilla — at least if you're talking about beans from the vanilla orchid. Whether they're from Tahiti or Madagascar, vanilla can be creamy, spicy or even floral.
NPR

Texas Voter ID Law Goes To Trial

A federal court will hear a challenge to the Texas voter ID law next week. It's an important and closely-watched voting rights case that could end up in the Supreme Court.
NPR

An App Can Reveal When Withdrawal Tremors Are Real

You probably haven't thought about whether your phone could help diagnose alcohol withdrawal. Well, it can. An app for doctors measures tremors and may help tell if someone's faking it to get drugs.

Leave a Comment

Help keep the conversation civil. Please refer to our Terms of Use and Code of Conduct before posting your comments.