Six months ago, when the Heartbleed bug threatened your bank account, your passwords, and your online life, people suddenly cared about OpenSSL, the open source version of crucial security standards that keep safe huge swaths of the Internet. They wanted to know what it all meant and who was responsible for keeping them safe. (As it happens, the people most closely involved were two middle-aged guys called Steve.)
But at LinuxCon Europe 2014, a conference for the open source software movement held earlier this month in Düsseldorf, Germany, 11 OpenSSL developers—most of them volunteers who had jetted in from around the world to meet in an anteroom off the main convention floor—were roundly ignored.
Many of the issues which were brought to light when Heartbleed hit the news—understaffing, under-resourcing, and the most gaping security holes—have been fixed in the past six months. Though there are still occasional security flare-ups, they are few, far between, and less momentous than Heartbleed. For many attendees at LinuxCon Europe, it was a case of “out of sight, out of mind.”
But that didn’t make the presence of the OpenSSL team—only two of whom work full time on the project—at the conference any less momentous. The group (minus four who couldn’t make the gathering) were meeting in person for the first time ever.
In April this year, it was revealed that a vulnerability in OpenSSL allowed hackers to pilfer 65,536 characters of plain text from servers with impunity. Despite the “open” in the name, what OpenSSL does is to create an encrypted link between users and servers. A coding slip-up caused the encryption to fail. That meant malicious actors could potentially have access to everything you’re told to keep secret: passwords, bank account details, everything.