Skip to content, sitemap or skip to search.

Free Software Foundation

Personal tools
Join now
 
You are here: Home FSF News Free Software Foundation statement on Heartbleed vulnerability

Free Software Foundation statement on Heartbleed vulnerability

by Free Software Foundation Contributions Published on Apr 08, 2014 05:33 PM
Today, news broke of a major security vulnerability in OpenSSL. The bug, which is being referred to as "heartbleed", allows unauthorized access to information protected, under normal conditions, by the SSL/TLS encryption used to secure much of the Internet. In response to the news, Free Software Foundation executive director John Sullivan made the following statement:

Using free "as in freedom" software, like OpenSSL, is a necessary first step in securing our computers, our servers, and the entire Internet. Free software guarantees users the ability to examine the code in order to detect vulnerabilities, and to create new and safe versions if a vulnerability is discovered. Bugs, sometimes big ones like Heartbleed affecting widely used software like OpenSSL, can occur in any code, free or proprietary. The difference is, when no one but a proprietary software company like Microsoft can see the code, or fix it when problems are discovered, it is impossible to have a true chain of trust. Everyone is helpless until Microsoft decides to act.

It's been documented that companies like Microsoft are even sharing bugs with others like the NSA without fixing them, looking the other way so that third parties can exploit the security hole. And Apple has a backdoor on the iPhone that security experts say was either caused by NSA sabotage or deliberate internal sabotage by Apple. In short, examples of proprietary software's insecurity abound.

Heartbleed is a serious security issue, and it's a good thing that OpenSSL is free software. This has allowed the bug to be identified, and fixed rapidly after being disclosed.

As for the FSF's own systems, we are upgrading them as we speak. We'd like to thank the Trisquel and Debian distributions of GNU/Linux for quickly releasing updates with fixed packages.

‡: Trisquel is an FSF-endorsed free GNU/Linux distribution.

Document Actions

The FSF is a charity with a worldwide mission to advance software freedom — learn about our history and work.

fsf.org is powered by:

 

Send your feedback on our translations and new translations of pages to campaigns@fsf.org.