Think of how many times you've typed a password on the Internet in the past two years and then consider this: All that time, you and most of the websites you visit relied on a tiny group of poorly paid programmers to keep you safe from hackers. It turns out the job was just too big for them to do alone.
That's a big reason why it took two years to discover a hole in the widely used security tool that uses a little lock symbol to reassure you that your online transactions are secure, a free, open-source program known as OpenSSL. Researchers disclosed this week that a bug in the software called "Heartbleed" could allow hackers to steal passwords, credit card data or Social Security numbers from two-thirds of all websites.
Major sites such as Facebook, Google, Amazon and Yahoo have scrambled to patch the hole. But those and other companies could have helped catch the bug months ago, simply by pitching in for an audit of OpenSSL's code, said Ben Laurie, one of the programmers who works on the software.
“There are a lot of companies making big bucks that use this in their core products,” Laurie said by phone on Wednesday from his home in Wales. “They should be making contributions, but their position is, ‘We found this nice thing you’re giving away for nothing. That's kind of you, but we're not going to help you.'"
Originally written in the late 1990s, OpenSSL is designed to scramble sensitive online data so hackers can't steal it. Numerous websites rely on the tool because they find it extremely difficult to write encryption code on their own, said Edward Felten, a computer science professor at Princeton University.
Despite its critical role in Internet security, the software is written and maintained largely by Laurie and three other people who live in Europe, as well as a few contributors. Together, they earned less than $1 million last year for their work on OpenSSL from a mix of contract work and donations, said Steve Marquess, president of OpenSSL Software Foundation, which raises money for the programmers.
Most of the programmers who work on OpenSSL have other jobs during the day and maintain the software in their spare time. The programmers don’t have time to check every line of code for flaws and can’t afford to pay someone else to do it. A formal audit of software code can cost at least $100,000 and often costs much more, according to Laurie.
“We simply don’t have the funding for that,” Marquess said. “The funding we have is to support food and rent for people doing the most work on OpenSSL.”
He added that the foundation’s funding pales in comparison to other open-source projects. “The irony here is everyone uses it and no one supports it financially," he said.
The bug revealed this week was buried inside 10 lines of code and would have been spotted in an audit, according to Laurie, who works on the security team at Google. "Unless you're doing an audit, you're not going to see it," he said.
Marquess said that Heartbleed was written by an outside contributor, whom Marquess did not identify. Later reports, however, have identified that contributor as Robin Seggelman, a software developer in Germany. According to the Sydney Morning Herald, Seggelman says the error was an oversight, and not deliberate or malicious.
"It was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project," said Seggelman, according to the paper.
Felten said he was “surprised” to learn that so few people maintain the computer code for software that is so important to Internet security, and that he thinks major companies should help pay for its maintenance.
“One question is whether companies that rely so much on the software are pulling their weight in terms of contributing to the overall project,” Felten said.
Even so, Marquess said the OpenSSL programmers have done "a superb job" of maintaining a critical piece of Internet infrastructure for such a long time with few resources.
"The amazing thing is there have been so few serious problems," he said.
This article has been updated with additional information about the identity of the designer who introduced the error.