While gathering up additional data for the next post on wealth, here are some thoughts on the Heartbleed security vulnerability. At USV we sent out a notice of the issue to all the heads of engineering as well as all of the CEOs. This was easy to do since as part of the USV network we have these groups pre-defined. It was immediately clear based on the severity of the issue that this requires CEO level attention. For an example of an excellent response from one of our portfolio companies, here is a detailed disclosure by Twilio.

I have posted frequently in the past that crypto alone is not the answer to questions of privacy and security. Whenever I write along those lines someone shows up with a “but math defends us” argument. Well, cryptography math isn’t something abstract. It lives in code. And that code can and will have errors. There will inevitably be endless arguments about bounds checking and programming languages and so on focused on how the particular bug could have been avoided. Again this misses the point. Systems todays are layers upon layers and cryptography will never be the only answer. We need to focus as much if not more on protecting people rather than data and systems.

If we want to have a debate on the code and technology side it should be around the future of certificates and how they are issued, distributed, verified, revoked and used. There is a current mass process happening (hopefully) in which companies are scrambling to replace potentially compromised server keys which requires that they obtain new certificates. The certificates bind the public key to the identity of the company / service. This mechanism is build on a web of trust that goes back to root certificates. This seems like an area where block chain type solution could provide a truly decentralized solution. If I am being vague here it’s because I don’t know what the exact mechanism would be but this seems very worthwhile looking into. As part of that we can hopefully get a broad mechanism for tying keys to individuals (not just organizations) in a decentralized identity system. We had an early start on that with client side certificates in browsers which unfortunately eventually got abandoned.

For both the political and the technological debate I hope that Heartbleed serves as a wake up call especially to technologists. Again, the two key issues I would like folks to focus on are (a) the importance of political and social changes in preventing the abuse of data that has and will be leaked and (b) the necessity for a truly decentralized identity-key mapping infrastructure.