The Wall Street Journal recently ran an article (4/12/14) pointing out just how few people the entire world wide web actually relies upon for much of its security. According to the article by Danny Yadron, the recent encryption flaw underscores this very weakness: It is “mostly managed by four European coders and a former military consultant in Maryland.”
The Journal article points out that most of the 11-member team are volunteers, and only one works full time. Their budget is less than $1 million per year. The Internet’s encryption methods are largely based on something called OpenSSL, a protocol developed in the 1990s to create a free set of encryption tools that have since been adopted by about two-thirds of the world’s Web servers.
The most recent incident we’ve all heard about, Heartbleed, was a bug unintentionally introduced by a programmer on New Year’s Eve, 2011 while working on some bug fixes for OpenSSL. The bug was subsequently overlooked by others until discovered recently to much fanfare and alarm.
The OpenSSL data encryption project is run by a full-time developer named Stephen Hensen, described by Yadron as “a 46 year old British cryptographer with a Ph.D. in math.” A couple other Brits and a German fill out the project’s management team. The team is constantly refining the secure sockets layer (SSL) which guards again hackers reading data that users send to websites.
All the team members, it is noted, are outside the U.S., to avoid arms export laws that apply to advanced encryption.
But arguably the best part of the story is this: The foundation that runs OpenSSL relies mostly on $5 and $10 donations, according to the Journal article. They have seen a slight uptick in donations since Heartbleed was disclosed.
So there you have it folks: the most critical layer of most Internet security is run by a miniscule team of mostly volunteers who accept small donations for their efforts.
Happy surfing… but please, give til it hurts, won’t you?