Heartbleed FUD: scarier than Jedward as triplets?
Davey Winder thinks the fact password reset floodgates are about to open...
As the media, the IT security industry, open source pundits and Joe User alike get swept away by the story so the FUD floodgates have opened. And FUD (that's Fear, Uncertainty and Doubt) would be a more unwelcome trio than if Jedward were triplets.
Beyond the fact that the heartbeat function of OpenSSL, which sends a server response to clients letting them know it is in effect alive, is flawed the facts have been in short supply. It should send back the amount of data the client sent. However, thanks to a German software developer working on the open source protocol who forgot to validate a variable containing a length when he added some functionality to OpenSSL in 2011, a hacker could actually request data from the server memory up to 65,536 bytes in length.
I didn't think I would end this piece with a Celine Dion reference, but I imagine the Heartbleed FUD will go on...
The bad guys could make such requests over and over again and this could include login credentials and private SSL certificates.
I know this, for a fact, because I have sat back and waited for the evidence to emerge. If I had jerked my knee a week ago I, like many security 'experts' would be reassuring clients that private encryption keys were safe and extensive testing had shown this to pretty much be the case. Cloudflare were so sure that it would be difficult, if not impossible, to do so that the company issued a challenge to white hats to have a go at a vulnerable server set up for the purpose of testing. It took just hours for a couple of them to succeed. Cloudflare responded by changing its reissue and revoke advice from a medium to high priority.
In This Article
Next-generation time series: Forecasting for the real world, not the ideal world
Solve time series problems with AIFree download
The future of productivity
Driving your business forward with Microsoft Office 365Free download
How to plan for endpoint security against ever-evolving cyber threats
Safeguard your devices, data, and reputationFree download
A quantitative comparison of UPS monitoring and servicing approaches across edge environments
Effective UPS fleet managementFree download