Most of us take for granted how water flows into pipes that reach our bathrooms or how wires in the street run electricity into our homes, and many other every-day activities. From this oversimplified notion of critical infrastructure, we set a context for reviewing the recent Heartbleed Open SSL vulnerability and why it remains so important to both businesses and consumers even as other breaches fade away.
The media frenzy over the April 2014 Heartbleed vulnerability was significant for several reasons. Despite an endless warnings about cybersecurity issues (such as data breaches and the need to patch various web browsers) and an outbreak of increasingly sophisticated malware, the Heartbleed incident is of tremendous symbolic and tangible importance to both information security professionals and the mainstream public because of how it changed many of our perceptions about computing.
Even now, as the second Heartbleed-related vulnerability was discovered last month, the initial incident still remains the focus of specific sectors like tech and information security and their respective energies, discussions, and concerns about the future of computing infrastructure, mobile applications, and personal data protection.
To understand why anyone would still care about this particular bug, it's important to first understand the five specific reasons why Heartbleed made such an impact:
Open source finally funded
Without Heartbleed, the recently announced and rapidly-pulled-together Core Infrastructure Initiative (CII), which funds open source projects in the critical path for core computing functions, would probably never have succeeded, or at least it would have gone unnoticed. At a minimum, it might've happened without much fanfare and – more importantly – without a key ingredient: funding. But powerhouses like Adobe, Amazon, Cisco, Dell, Facebook, Google, HP, IBM, Intel, Microsoft, Rackspace, VMWare, and others came together to financially support key open source initiatives and triage those initiatives most in need of support and assistance. We are now (hopefully) at the dawn of a new age in which large technology firms are supporting critical pieces of open source infrastructure, contributing to.
the development of future global computing infrastructure.
Alongside the three initial projects that CCI will be supporting (Network Time Protocol, OpenSSH, and OpenSSL), it's also heartening to see that other key projects such as the Open Crypto Audit Project will also benefit from this focus on cooperation, analysis, and technical support and on helping “evaluate open source projects essential to global computing infrastructure.”
Practically overnight, we also saw Heartbleed and OpenSSL become mainstream topics, even recognised by those who are not experts in information security. Security awareness up and down the ranks of management is a good thing. That said, other incidents that followed, such as problems uncovered in the GnuTLS cryptographic library would probably never have even made the press, been discussed, and then been remediated in a reasonable manner If Heartbleed hadn't blazed a trail for security awareness. This level of focus and interest is a good thing for our collective security and for the broader integrity of the computing landscape.