The Inquirer-Home

Linux Foundation throws money at OpenSSL staffing post-Heartbleed

But fool the industry twice, shame on them
Fri May 30 2014, 15:22
heartbleed bug

THE LINUX FOUNDATION announced on Thursday that the Core Infrastructure Initiative (CII), the industry body set up in the wake of the OpenSSL Heartbleed bug, has announced its first round of initiatives.

The CII will fund two full-time developers to work on the OpenSSL project and an audit about OpenSSL by the Open Crypto Audit Project (OCAP).

Jim Zemlin, executive director at The Linux Foundation said, "All software development requires support and funding. Open source software is no exception and warrants a level of support on par with the dominant role it plays supporting today's global information infrastructure." 

The news comes in a week when another open source cryptography software product, Truecrypt, announced that it had unresolved security vulnerabilities that made it unreliable as an encryption tool, despite being given the all clear by OCAP just a month previously.

The CII funding represents industry acceptance of the OpenSSL project, with funding and support coming from almost every corner of the industry, including Google, IBM, Microsoft and HP, with the CII management housed at the Linux Foundation.

An additional fork of the project, known as LibreSSL, is maintained by the curators of OpenBSD, the open source Unix operating system. LibreSSL hopes to reintegrate with and supersede OpenSSL in the future, but has been hampered by the CII decision to concentrate funding on OpenSSL

The CII has also committed funding for maintaining two other protocols - the Network Time Protocol (NTP), which despite being one of the oldest protocols in the internet still has the potential to be exploited, and OpenSSH, the world's most prevalent secure shell protocol used to encrypt direct traffic between computers.

The Heartbleed bug demonstrated to the world that being apathetic about the nuts and bolts of internet security can have dire consequences, and these initiatives by the CII, it is hoped, will avoid future problems.

Earlier this year, Mozilla offered a $10,000 bounty for anyone able to create "rock solid" protection against the Heartbleed bug. µ

 

Share this:

blog comments powered by Disqus
Advertisement
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Advertisement
INQ Poll

Dead electronic devices to be banned on US-bound flights

Will the new rules banning uncharged devices be effective?