Scarcely a month after announcing the formation of a group designed to help fund open source projects, the Core Infrastructure Initiative has decided to provide the OpenSSL Project with enough money to hire two full-time developers and also will fund an audit of OpenSSL by the Open Crypto Audit Project.
The CII is backed by a who’s who of tech companies, including Google, Microsoft, IBM, the Linux Foundation, Facebook and Amazon, and the group added a number of new members this week, as well. Adobe, Bloomberg, HP Huawei and Salesforce.com have joined the CII and will provide financial backing.
The announcement from the CII comes at a time when there are major questions swirling around crypto projects. On Wednesday, the main TrueCrypt Web page and Sourceforge page began carrying a message warning users that the open source encryption package is not safe and may contain unfixed security vulnerabilities. The same warning also appears in the installation screen of TrueCrypt 7.2, the new version, which was signed with the valid encryption key of the project. A month ago, the OCAP released an initial report saying that the first phase of its audit of TrueCrypt had turned up no backdoors or other troubling vulnerabilities. Security experts for years have wondered about the integrity of the software, as its developers are anonymous and TrueCrypt had never gone through an outside audit.
Now, the OCAP team, which includes Johns Hopkins professor and cryptographer Matthew Green and Kenn White, will have the money to fund an audit of OpenSSL, as well. OpenSSL took a major hit earlier this year with the revelation of the Heartbleed vulnerability, which sent the Internet into a panic, as the software runs on more than 60 percent of SSL-protected sites.
“Whether we acknowledge it or not, the security of today’s Internet depends on a small number of open source projects. This initiative puts the resources in place to ensure the long-term viability of those projects. It makes us all more secure,” Green said.
In addition to the funding for OpenSSL’s audit, the CII also is committing money to the Network Time Protocol and OpenSSH.
“All software development requires support and funding. Open source software is no exception and warrants a level of support on par with the dominant role it plays supporting today’s global information infrastructure,” said Jim Zemlin, executive director at The Linux Foundation. “CII implements the same collaborative approach that is used to build software to help fund the most critical projects. The aim of CII is to move from the reactive, crisis-driven responses to a measured, proactive way to identify and fund those projects that are in need. I am thrilled that we now have a forum to connect those in need with those with funds.”
The CII also added a number of new advisers, including Green, Bruce Schneier, Eben Moglen of Columbia University and Ted T’so of Google.
“This is an important step towards improving the security of the Internet. I’m happy to see the technology companies that rely on the security of open source software investing in that security,” Schneier said.