In-depth

Heartbleed FUD: scarier than Jedward as triplets?

Davey Winder thinks the fact password reset floodgates are about to open...

As the media, the IT security industry, open source pundits and Joe User alike get swept away by the story so the FUD floodgates have opened. And FUD (that's Fear, Uncertainty and Doubt) would be a more unwelcome trio than if Jedward were triplets.

Beyond the fact that the heartbeat function of OpenSSL, which sends a server response to clients letting them know it is in effect alive, is flawed the facts have been in short supply. It should send back the amount of data the client sent. However, thanks to a German software developer working on the open source protocol who forgot to validate a variable containing a length when he added some functionality to OpenSSL in 2011, a hacker could actually request data from the server memory up to 65,536 bytes in length.

I didn't think I would end this piece with a Celine Dion reference, but I imagine the Heartbleed FUD will go on...

The bad guys could make such requests over and over again and this could include login credentials and private SSL certificates.

I know this, for a fact, because I have sat back and waited for the evidence to emerge. If I had jerked my knee a week ago I, like many security 'experts' would be reassuring clients that private encryption keys were safe and extensive testing had shown this to pretty much be the case. Cloudflare were so sure that it would be difficult, if not impossible, to do so that the company issued a challenge to white hats to have a go at a vulnerable server set up for the purpose of testing. It took just hours for a couple of them to succeed. Cloudflare responded by changing its reissue and revoke advice from a medium to high priority.

Featured Resources

Unlocking collaboration: Making software work better together

How to improve collaboration and agility with the right tech

Download now

Four steps to field service excellence

How to thrive in the experience economy

Download now

Six things a developer should know about Postgres

Why enterprises are choosing PostgreSQL

Download now

The path to CX excellence for B2B services

The four stages to thrive in the experience economy

Download now

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021
Hackers are using fake messages to break into WhatsApp accounts
instant messaging (IM)

Hackers are using fake messages to break into WhatsApp accounts

8 Apr 2021