Watch the stream
This year marks the ten-year anniversary of Heartbleed’s discovery and public disclosure. Heartbleed was a severe flaw in the OpenSSL cryptographic library. It was publicly disclosed on April 7, 2014, initiating a long and arduous process of remediation for more than two thirds of all web servers on the internet. Anybody could potentially eavesdrop on communications, steal data or impersonate users for any vulnerable service or device, without leaving a trace. Described by some experts as “one of the most consequential vulnerability since the advent of the commercial internet”, Heartbleed abruptly unveiled the insecure and unsustainable foundations on which the internet infrastructure was built. How could so many major organizations (Google, Amazon, Facebook, financial and government institutions) depend on OpenSSL, a struggling free software project with one overworked full-time developer and $2,000 in yearly donations? How could they integrate its code without any proper security audit or reciprocal financial support? This presentation traces the historical roots of the OpenSSL project and its growing adoption, from the mid 1990s up to 2014. Based on original interviews with OpenSSL developers and security experts as well as extensive archival research, it portrays a nascent cryptographic library written “as a learning exercise” during the turmoil of the Crypto Wars of the 1990s. Finally, this presentation explores some of the long-lasting effects Heartbleed has had on the tech industry and free software community – effects that still resonate to this day, ten years later.