Heartbleed Bug's 'Voluntary' Origins - Wall Street Journal ~ Electronic Gadgets

Updated April 11, 2014 7:22 p.m. ET

The encryption flaw that punctured the heart of the Internet this week underscores a weakness in Internet security: It is mostly managed by four European coders and a former military consultant in Maryland.

Most of the 11-member team are volunteers; only one works full time. Their budget is less than $1 million a year. The Heartbleed bug, revealed Monday, was the product of a fluke introduced by a young German researcher.

"It's sort of shocking how few people are at the heart of it," said Kenneth White, an encryption expert at Social & Scientific Systems Inc. in North Carolina. "This is some of the most complex communication code that exists on the Internet."

The OpenSSL Project was founded in 1998 to create a free set of encryption tools that has since been adopted by two-thirds of Web servers. Websites, network-equipment companies and governments use OpenSSL tools to protect personal and other sensitive information online.

So when researchers at Google Inc. GOOG -1.91% Google Inc. Cl C U.S.: Nasdaq ^$530.60 -10.35 -1.91% April 11, 2014 4:00 pm Volume (Delayed 15m) : 3.90M AFTER HOURS ^$533.40 +2.80 +0.53% April 11, 2014 7:36 pm Volume (Delayed 15m): 16,593 P/E Ratio N/A Market Cap $335.32 Billion Dividend Yield N/A Rev. per Employee $1,250,730 04/11/14 Heartbleed Bug's 'Voluntary' O... 04/08/14 Turkey Slightly Loosens Grip o... 04/03/14 Mozilla CEO Brendan Eich Steps... More quote details and news » GOOG in Your Value Your Change Short position and Codenomicon on Monday stated that Heartbleed could allow hackers to steal such data, the Internet went into a panic.

Codenomicon

The frenzy intensified Friday after Bloomberg News reported that the National Security Agency knew about the hole for two years but kept it secret to gather intelligence on foreign targets. The NSA, White House and Office of the Director of National Intelligence denied the report. "Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong," White House National Security Council spokeswoman Caitlin Hayden said.

Earlier in the day, a German volunteer coder admitted that he had unintentionally introduced the bug on New Year's Eve 2011 while working on bug fixes for OpenSSL. Robin Seggelmann, a 31-year-old who now works for T-Systems, a unit of Deutsche Telekom AG DTE.XE -0.49% Deutsche Telekom AG Germany: Xetra ^€11.22 -0.06 -0.49% April 11, 2014 5:35 pm Volume : 12.13M P/E Ratio 53.45 Market Cap €50.21 Billion Dividend Yield N/A Rev. per Employee €263,049 04/11/14 Heartbleed Bug's 'Voluntary' O... 04/01/14 Battle Lines Drawn Over Net Ne... 03/31/14 HEARD ON THE STREET: Clearing ... More quote details and news » DTE.XE in Your Value Your Change Short position , said in a blog entry posted by the company that the error had been overlooked by multiple coders working on OpenSSL.

Errors in complex code are inevitable— Microsoft Corp. MSFT -0.38% Microsoft Corp. U.S.: Nasdaq ^$39.21 -0.15 -0.38% April 11, 2014 4:00 pm Volume (Delayed 15m) : 33.99M AFTER HOURS ^$39.24 +0.03 +0.08% April 11, 2014 7:26 pm Volume (Delayed 15m): 340,309 P/E Ratio 14.36 Market Cap $326.72 Billion Dividend Yield 2.86% Rev. per Employee $841,040 04/11/14 Nokia Offering Employee Buyout... 04/11/14 Data Point: One Bright Spot Fr... 04/11/14 Nordic Game Makers Seek Winnin... More quote details and news » MSFT in Your Value Your Change Short position , Apple Inc. AAPL -0.74% Apple Inc. U.S.: Nasdaq ^$519.61 -3.87 -0.74% April 11, 2014 4:00 pm Volume (Delayed 15m) : 9.61M AFTER HOURS ^$519.62 +0.01 0.00% April 11, 2014 7:33 pm Volume (Delayed 15m): 99,030 P/E Ratio 12.81 Market Cap $467.23 Billion Dividend Yield 2.35% Rev. per Employee $2,163,820 04/11/14 Riding the Tech Roller Coaster 04/11/14 Amazon Preparing to Release Sm... 04/09/14 Apple's Star Designer Jonathan... More quote details and news » AAPL in Your Value Your Change Short position and Google announce flaws monthly. But people close to OpenSSL, which relies in part on donations, say a lack of funding and manpower exacerbated the problem and allowed it to go unnoticed for two years.

Heartbleed also raises questions about whether so much of the Internet should rely on a single technology to keep secrets. "Anytime you have a monoculture, one bug is going to make everyone insecure," said Matthew Green, an encryption expert at Johns Hopkins University.

The OpenSSL Project counts a sole full-time developer: Stephen Henson, a 46-year-old British cryptographer with a Ph.D. in mathematics. Two other U.K. residents and a developer in Germany fill out the project's management team.

WSJD is the Journal's home for tech news, analysis and product reviews.

Associates describe Mr. Henson as brilliant but standoffish and overloaded with work. On his website, he lists encryption questions that are "welcome and not welcome" and compares his responsibilities to those of Bill Gates when he managed Microsoft. "Yes, oddly enough some people have actually met me," Mr. Henson writes.

Of companies asking for free advice on using OpenSSL, he asks, "Well, how would your company respond if I contacted them and demanded large amounts of free consultancy?"

Here's how the OpenSSL Project works: The team is constantly refining a type of encryption called secure sockets layer (SSL) or transport layer security (TLS), which guards against hackers reading data that users send to websites. This type of encryption was invented in the 1990s by Eric Young, now an engineer in Australia for RSA, EMC Corp.'s EMC -1.30% EMC Corp. U.S.: NYSE ^$26.65 -0.35 -1.30% April 11, 2014 4:00 pm Volume (Delayed 15m) : 18.93M AFTER HOURS ^$26.74 +0.09 +0.34% April 11, 2014 4:27 pm Volume (Delayed 15m): 106,147 P/E Ratio 19.26 Market Cap $54.74 Billion Dividend Yield 1.50% Rev. per Employee $363,224 04/01/14 The Hottest Corporate Fad: Pay... 03/25/14 HEARD ON THE STREET: Box Boxed... 03/23/14 The Boss Plans to Leave, but D... More quote details and news » EMC in Your Value Your Change Short position security unit.

All members of the OpenSSL team are outside the U.S., to avoid arms export laws that apply to advanced encryption.

Geoffrey Thorpe, an OpenSSL volunteer on the development team, said he has little time to spend on the project because of his day job at a hardware technology company.

"You might say that it's like sewerage processing in a way, messy, complicated and usually taken for granted right up until it goes wrong," said Mr. Thorpe, who lives in Quebec City.

Last decade, Steve Marquess, a former U.S. Defense Department consultant living in Maryland, started the OpenSSL Software Foundation to secure donations and consulting contracts for the group.

Mr. Marquess has helped garner sponsorships from the U.S. Department of Homeland Security and the Defense Department. He couldn't confirm the veracity of Friday's Bloomberg story.

The foundation has seen a slight uptick in donations since Heartbleed was disclosed, though most still come in $5 and $10 increments. More than anything, OpenSSL needs more manpower to audit code.

Qualys Inc., QLYS +2.35% Qualys Inc. U.S.: Nasdaq ^$21.36 +0.49 +2.35% April 11, 2014 4:00 pm Volume (Delayed 15m) : 183,974 AFTER HOURS ^$21.36 +0.00 +0.01% April 11, 2014 4:28 pm Volume (Delayed 15m): 1,300 P/E Ratio 415.56 Market Cap $677.27 Million Dividend Yield N/A Rev. per Employee $265,916 04/10/14 Heartbleed: Now Comes the Hard... 04/08/14 Massive OpenSSL Bug 'Heartblee... 04/02/14 One Utility Faces the Cost of ... More quote details and news » QLYS in Your Value Your Change Short position a California cybersecurity company, said it donated a small amount to the OpenSSL Software Foundation to work on security code. A company spokesman wouldn't disclose the amount, but said the fact OpenSSL lists Qualys as a "major contributor" indicates it is "woefully underfunded."