Is the internet really open source?

How secure is open source?

Arne Arnold

A fatal software error in the open source program Open-SSL not only exposed billions of passwords to espionage, it also shook trust in open source software.

EnlargeThe source code of OpenSSL with the heartbeat section.

Many users consider open source programs to be particularly secure because the source code of this software is freely accessible. Anyone interested and familiar with the respective programming language can download the code and check it line by line with their own eyes. That is why such open source programs are recommended, especially for security-relevant applications, such as the Truecrypt encryption software or the Keepass password manager. The Linux software Open-SSL is used on at least half a million Internet servers and encrypts the connection from a website on the server to the Internet browser of a surfer, recognizable by the "https" in front of the web address. This SSL encryption is used by online shops as well as by social networks and mail providers.

Open SSL security vulnerability

At the beginning of April of this year, the bug baptized Heartbleed was discovered in Open-SSL. This security gap had existed for around two years, affected an extremely large number of systems and was so huge that every well-known website fixed the error within a short time. The consequences for you as a user: You should urgently change your passwords for the affected web services. This page reveals which, among other things, these are.

Is Open Source Safe?

The bug in Open-SSL brought an old question back on the agenda: Is Open Source Safe? Because just because it is possible for interested parties to look at the source code, it is by no means guaranteed that anyone will do the same. After all, analyzing many thousands of lines of code is not exactly a pleasure. On the contrary: The analysis of vulnerabilities requires advanced programming knowledge, talent in troubleshooting and a lot of time. Volunteers obviously don't do this, or not often enough. In the case of security-relevant programs such as Open-SSL or Truecrypt, in addition to searching for errors in the code, there is also the search for back doors that were placed there. Every change to the open source code is documented and approved by the person responsible for the project, but a clever back door may not be recognizable. One example of this is the Dual EC DRBG random generator, which the NSA is said to have introduced into an encryption standard.

On the occasion of the vulnerability in Open SSL, the head of Steganos, Gabriel Yoran, organized a public source text reading of the Open SSL bug. One of the findings: the programmers of the code are also on the supervisory body that sets the standards for the program. So you control yourself - at least partially - yourself.

The highly recommended YouTube video is available here:

What should change?

If the testing of security-relevant open source code is obviously inadequate, something should change. This is what some encryption experts thought and in autumn 2013 they raised money through crowdfunding to have the Truecrypt software checked in an audit process. The good news: everything looks fine after the first round of testing.

However, the fundamental question now arises: Who should actually check open source code in an independent process? Of course there are commercial companies that test and certify code against high five-digit amounts. But if you trust these companies, then you trust the same principle that underlies every closed source program: The commercial company will work correctly and in my favor, because only then can it exist legally and permanently. Seen in this way, you could also use the software of commercial companies.

In addition: From whom should the money for the test come in the long term and what influence will the donors then have on the software. This is a very topical issue, because after the SSL bug, the Linux Foundation asked for money to test code - and received: Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Donate to Microsoft, Vmware, and others for these purposes. The software will therefore of course remain open-source, but it will also remain independent.

A state institute that checks open source code would also be conceivable. But after the revelations by Edward Snowden, trust in state institutes is likely to be low. The question of the security of open source software remains unanswered today. Which of course does not mean that closed source should therefore automatically be classified as more secure.

Survey: We are interested in your opinion. When you have a choice between open source and closed source software. Which would you rate as safer than the other: