Who Should Pay To Keep The Internet's Locks Secure? : All Tech Considered Fortune 1000 companies rely on the open source software OpenSSL for their core business. Two-thirds of websites use it. But no one pays for it, and it's never had a complete security audit.

Who Should Pay To Keep The Internet's Locks Secure?

  • Download
  • <iframe src="https://www.npr.org/player/embed/304143259/305477617" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript

RENEE MONTAGNE, HOST:

Last week, a little bug called Heart Bleed put the entire Internet on alert. Tech companies that handle email and online accounts sent out ominous advisories and there was a rush to change passwords. Now the bug has been cured. But the system that it has infected is still at risk.

From member station KQED, Aarti Shahani reports.

AARTI SHAHANI, BYLINE: OpenSSL is the software that got infected. It's supposed to be the really safe, secure road on the Internet superhighway, where messages get encrypted and sent between users and servers. Fortune 1000 companies rely on OpenSSL for their core business. But no one is paying for it.

Steve Marquess is founder of the OpenSSL Foundation.

STEVE MARQUESS: There's only one person who does nothing but work on OpenSSL in some capacity. Everyone else has outside obligations.

SHAHANI: The recent bug was like a gaping pothole. His volunteer team couldn't catch it because there aren't enough of them to look. They get some money in corporate contracts.

MARQUESS: Rather quite a bit under a million.

SHAHANI: But that's for company-specific work. In 2013, they got just $2,000 for upkeep.

After news of the bug broke, one person on a popular tech forum jokes, the software could raise more money panhandling in a big city than it's gotten online.

ED FELTON: Seeking donations is obviously one useful path for getting support.

SHAHANI: Ed Felton is a computer scientist at Princeton University.

FELTON: But I don't know about standing out the street corner with a tin cup.

SHAHANI: Felton says OpenSSL is like public infrastructure without a tax base. It's open source - meaning anyone can use it for free. But it's so poor, it's never had a complete security audit. Two-thirds of websites rely on OpenSSL. In economics, these users are called free riders.

FELTON: A freerider problem means that someone can benefit from a project or a technology without contributing back to it.

SHAHANI: High-tech companies are keeping quiet about the software's financial woes. Facebook and OKCupid did not respond to NPR's inquiry. Yahoo, Amazon and Google declined to comment. CISCO did disclose they do not give checks to OpenSSL, but their employees do actively help with code.

Many cybersecurity experts, including Felton, say that's not enough.

FELTON: Somebody needs to be paying and putting in the work to ensure that components like OpenSSL is secure. It's a job that some of the large companies could do or get together and do.

DAVID CHARTIER: I'm not looking for bad guys here. I think it's more of an educational problem.

SHAHANI: David Chartier is CEO of Codenomicon, the company that found the recent bug. He says the crisis is not a cautionary tale in free riders and corporate accountability. Software - public or private - will always have bugs. And people have to come together as a team to deal with it.

FELTON: Never before have we seen the security community, and the general public together along with media, move so quickly to get the word out.

SHAHANI: There is another silver lining. Marquess of the OpenSSL Foundation says since the bug, they've gotten about $10,000 in checks.

MARQUESS: What I think is remarkable about that is so many come from around the world, places like Micronesia, the Netherlands, Taiwan, typically in $5, $10, $20 amounts.

SHAHANI: But Marquess says given all the traffic on OpenSSL, that still doesn't cover the cost of maintenance.

For NPR News, I'm Aarti Shahani in San Francisco.

Copyright © 2014 NPR. All rights reserved. Visit our website terms of use and permissions pages at www.npr.org for further information.

NPR transcripts are created on a rush deadline by an NPR contractor. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.