Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive
 

Heartbleed is a coding bug in the OpenSSL component, which allows to get the OpenSSL heartbeat to expose sensitive data. There are a lot of reasons to use OpenSource but unfortunately this issue also uncovers a major drawback.

 

It's a coding bug which can be easily be fixed. A commented fix version is available here.

Actually the most severe issues now are

1) Nobody knows whether the private key was already disclosed. So every provider has to create a new private key in order to be on the safe side.

 2) Nobody knows which software uses the buggy OpenSSL version. There are a lot of devices out there which use Linux as their operating system. If they have to provide scurity there is a high chance they use OpenSSL. Linux is also very popular to be used on servers by providers and also in a lot of other products like internet routers. It's just the amount of devices which are a security rsik - given they use OpenSSL.

 3) Just a couple of weeks ago ther was a security flaw detected in AVM/Firtz routers. AVM provided updates very fast and will publish another update regarding this OpenSSL issue very soon.  Will be interesting to see the update policy of other router providers and internet providers.

As an analogy - there exist a lot of frontdoors in houses, which are based on Linux and which tell an intruder the exact details to create a duplicate key. Because nobody knows whether he's already compromized everybody has to replace the doorlock.

 

Links

Forbes: What's Really Scary About Heartbleed

The Sydney Morning Herald: Man who introduced serious 'Heartbleed' security flaw denies he inserted it deliberately

 

Add comment

*** Note ***

Comments are welcome. But in order to reject spam posts please consider following rules:
  1. Comments with string http are rejected with message You have no rights to use this tag
  2. All comments are reviewed by hand and thus it usually takes one day until a comment will be published.