Rusty Foster blames the bug on the insufficient attention we pay to open-source software:
OpenSSL, which is used to secure as many as two-thirds of all encrypted Internet connections, is a volunteer project. It is overseen by four people: one works for the open-source software company Red Hat, one works for Google, and two are consultants. There is nobody whose full-time job it is to work on OpenSSL. ….
Unlike a rusting highway bridge, digital infrastructure does not betray the effects of age. And, unlike roads and bridges, large portions of the software infrastructure of the Internet are built and maintained by volunteers, who get little reward when their code works well but are blamed, and sometimes savagely derided, when it fails. To some degree, this is beginning to change: venture-capital firms have made substantial investments in code-infrastructure projects, like GitHub and the Node Package Manager. But money and support still tend to flow to the newest and sexiest projects, while boring but essential elements like OpenSSL limp along as volunteer efforts. It’s easy to take open-source software for granted, and to forget that the Internet we use every day depends in part on the freely donated work of thousands of programmers.
The developer who introduced the bug called it “a simple programming error.” Update from a professional software developer:
Most of the commentary on the Heartbleed bug has focused on the proximate cause of the problem. As reported, this is indeed a simple programming error, of the kind that I could see almost anyone making from time to time. There’s lot of talk in the community about various engineering best practices (code reviews and so forth) that might have prevented this. And there’s certainly an interesting discussion about whether this being open source has helped, hurt, or is irrelevant. But zoom out a bit, because this particular bug has a root cause that’s deeper than the simple programming error. This XKCD comic gives a pretty good explanation of what happens with Heartbleed. If, after reading this, you’re wondering why a simple “are you alive” check requires the server to repeat back to the user an arbitrary block of data instead of just saying “yup, I’m here”, you’re not alone. This is a completely unnecessary feature of the protocol, that adds no functionality of any real value. One thing we’ve learned about developing secure systems is to reduce the “attack surface”, which means that any entry points and bits of protocols that aren’t required should be eliminated, because they might serve as vectors for attacks. Which is exactly what happened here. This bug doesn’t exploit the main part of the protocol – the gnarly stuff that actually deals with cryptographic keys – but rather goes after a flaw in this unnecessary appendage.
As a community, we need to get better about reviewing and analyzing the designs of these systems before they ever turn into code. And we also need to find a way to get smart people reviewing the unsexy bits of these systems more frequently.
The Dish 