Today, news broke of a major security vulnerability in OpenSSL. The bug, which is being referred to as "heartbleed", allows unauthorized access to information protected, under normal conditions, by the SSL/TLS encryption used to secure much of the Internet. In response to the news, Free Software Foundation executive director John Sullivan made the following statement:
Using free "as in freedom" software, like OpenSSL, is a necessary first step in securing our computers, our servers, and the entire Internet. Free software guarantees users the ability to examine the code in order to detect vulnerabilities, and to create new and safe versions if a vulnerability is discovered. Bugs, sometimes big ones like Heartbleed affecting widely used software like OpenSSL, can occur in any code, free or proprietary. The difference is, when no one but a proprietary software company like Microsoft can see the code, or fix it when problems are discovered, it is impossible to have a true chain of trust. Everyone is helpless until Microsoft decides to act.‡: Trisquel is an FSF-endorsed free GNU/Linux distribution.
It's been documented that companies like Microsoft are even sharing bugs with others like the NSA without fixing them, looking the other way so that third parties can exploit the security hole. And Apple has a backdoor on the iPhone that security experts say was either caused by NSA sabotage or deliberate internal sabotage by Apple. In short, examples of proprietary software's insecurity abound.
Heartbleed is a serious security issue, and it's a good thing that OpenSSL is free software. This has allowed the bug to be identified, and fixed rapidly after being disclosed.
As for the FSF's own systems, we are upgrading them as we speak. We'd like to thank the Trisquel‡ and Debian distributions of GNU/Linux for quickly releasing updates with fixed packages.
Follow us on GNU social Join us as an associate member
Sent from the Free Software Foundation,
Boston, Massachusetts 02110-1335