05-17, 09:15–09:45 (US/Eastern), Salle de Bal
This year marks the ten-year anniversary of Heartbleed’s discovery and public disclosure. Heartbleed was a severe flaw in the OpenSSL cryptographic library. It was publicly disclosed on April 7, 2014, initiating a long and arduous process of remediation for more than two thirds of all web servers on the internet. Anybody could potentially eavesdrop on communications, steal data or impersonate users for any vulnerable service or device, without leaving a trace. Described by some experts as “one of the most consequential vulnerability since the advent of the commercial internet”, Heartbleed abruptly unveiled the insecure and unsustainable foundations on which the internet infrastructure was built. How could so many major organizations (Google, Amazon, Facebook, financial and government institutions) depend on OpenSSL, a struggling free software project with one overworked full-time developer and $2,000 in yearly donations? How could they integrate its code without any proper security audit or reciprocal financial support? This presentation traces the historical roots of the OpenSSL project and its growing adoption, from the mid 1990s up to 2014. Based on original interviews with OpenSSL developers and security experts as well as extensive archival research, it portrays a nascent cryptographic library written “as a learning exercise” during the turmoil of the Crypto Wars of the 1990s. Finally, this presentation explores some of the long-lasting effects Heartbleed has had on the tech industry and free software community – effects that still resonate to this day, ten years later.
English
Titulaire d’une maîtrise en mobilisation et transfert des connaissances de l’Institut national de la recherche scientifique, Louis a toujours cherché à combiner son intérêt pour le transfert des connaissances à sa passion pour la recherche et l’impact des nouvelles technologies. Après avoir poursuivi ses études universitaires en s’intéressant à la vulnérabilité Heartbleed et son impact sur les pratiques de sécurité, Louis a collaboré avec plusieurs organismes de mobilisation des connaissances tels que Serene-risc et Research Impact Canada. Ayant récemment joint l’équipe du soutien à la recherche chez Ivado, cette présentation est l’occasion pour Louis de revisiter le sujet qui l’a passionné pendant des années.
Holder of a master's degree in knowledge mobilization from INRS, Louis has always sought to combine his interest in knowledge transfer with his passion for research and the impact of new technologies. After continuing his university studies focusing on the Heartbleed vulnerability and its impact on security practices, Louis collaborated with several knowledge mobilization organizations such as Serene-risc and Research Impact Canada. Having recently joined the research support team at Ivado, this presentation is an opportunity for Louis to revisit the subject that has fascinated him for years.