Interview: Post-Heartbleed, is it time to consider an alternative to OpenSSL?

The Heartbleed Bug (and it's definitely a bug - not a virus) has ignited a debate around the security and reliability of open source software in recent months.

Discovered by researchers at Google and Codenomicon, the vulnerability was found in the open source OpenSSL cryptographic software library that provides Secure Sockets Layer (SSL) and Transport Layer Security (TSL) protection for anything from emails and web browsing to internet banking.

The programming mistake that led to Heartbleed - which was accidentally introduced by German programmer Dr. Robin Seggelmann, a frequent contributor of OpenSSL code - allows attackers to download 64k chunks of data stored in the supposedly secure main memory of servers.

It was an honest mistake, but one with far-reaching consequences. According to Errata Security, around 320,000 of 600,000 detected vulnerable servers are still vulnerable to Heartbleed. Post-Heartbleed, every private key on servers running OpenSSL are now suspect and could be potentially used by attackers to impersonate secure websites so long as those servers remain unpatched.

Is it time to switch from OpenSSL to a commercial solution (or another alternative) when it comes to web security? We spoke to industry experts at Infosec 2014 to find out more.

James Sherlow, SE Manager WEUR at Palo Alto Networks, thinks that ditching OpenSSL in the wake of Heartbleed would be something of a knee-jerk reaction:

"OpenSSL is still highly relevant and has scalability. It has a community of highly skilled developers, which is extremely valuable and still valid. Every software at a certain point in time will have some sort of vulnerability associated with it, but it doesn't mean we switch it off; it means we learn from our lessons."

"I think that the open source community needs to start putting mechanisms in different areas that could cross-check others. That's better than finger pointing and blame which doesn't get anyone anywhere. It would mitigate the risk, reduce the chance of attack and raise the bar. To get to zero errors is difficult, but let's aim for it. That's the bar."

The question of whether we should get rid of OpenSSL isn't so black-and-white, according to JD Sherry, VP of Technology & Solutions for Trend Micro. He believes that instead of turning down the services of dedicated and talented open source contributors, rewards should be offered to others who seek out errors in their work:

"Open source is always going to be an innate part of what we do, primarily because there's lots of great engineering involved with it - a lot of people pour their passion into these projects and a lot of excellent work comes out of them."

More:
Interview: Post-Heartbleed, is it time to consider an alternative to OpenSSL?