Heartbleed FUD: scarier than Jedward as triplets?
Davey Winder thinks the fact password reset floodgates are about to open...
As the media, the IT security industry, open source pundits and Joe User alike get swept away by the story so the FUD floodgates have opened. And FUD (that's Fear, Uncertainty and Doubt) would be a more unwelcome trio than if Jedward were triplets.
Beyond the fact that the heartbeat function of OpenSSL, which sends a server response to clients letting them know it is in effect alive, is flawed the facts have been in short supply. It should send back the amount of data the client sent. However, thanks to a German software developer working on the open source protocol who forgot to validate a variable containing a length when he added some functionality to OpenSSL in 2011, a hacker could actually request data from the server memory up to 65,536 bytes in length.
I didn't think I would end this piece with a Celine Dion reference, but I imagine the Heartbleed FUD will go on...
The bad guys could make such requests over and over again and this could include login credentials and private SSL certificates.
I know this, for a fact, because I have sat back and waited for the evidence to emerge. If I had jerked my knee a week ago I, like many security 'experts' would be reassuring clients that private encryption keys were safe and extensive testing had shown this to pretty much be the case. Cloudflare were so sure that it would be difficult, if not impossible, to do so that the company issued a challenge to white hats to have a go at a vulnerable server set up for the purpose of testing. It took just hours for a couple of them to succeed. Cloudflare responded by changing its reissue and revoke advice from a medium to high priority.
The top three IT pains of the new reality and how to solve them
Driving more resiliency with unified operations and service management
Download nowThe five essentials from your endpoint security partner
Empower your MSP business to operate efficiently
Download now
