Heartbleed is a coding bug in the OpenSSL component, which allows to get the OpenSSL heartbeat to expose sensitive data. There are a lot of reasons to use OpenSource but unfortunately this issue also uncovers a major drawback.


It's a coding bug which can be easily be fixed. A commented fix version is available here.

Actually the most severe issues now are

1) Nobody knows whether the private key was already disclosed. So every provider has to create a new private key in order to be on the safe side.

 2) Nobody knows which software uses the buggy OpenSSL version. There are a lot of devices out there which use Linux as their operating system. If they have to provide scurity there is a high chance they use OpenSSL. Linux is also very popular to be used on servers by providers and also in a lot of other products like internet routers. It's just the amount of devices which are a security rsik - given they use OpenSSL.

 3) Just a couple of weeks ago ther was a security flaw detected in AVM/Firtz routers. AVM provided updates very fast and will publish another update regarding this OpenSSL issue very soon.  Will be interesting to see the update policy of other router providers and internet providers.

As an analogy - there exist a lot of frontdoors in houses, which are based on Linux and which tell an intruder the exact details to create a duplicate key. Because nobody knows whether he's already compromized everybody has to replace the doorlock.



Forbes: What's Really Scary About Heartbleed

The Sydney Morning Herald: Man who introduced serious 'Heartbleed' security flaw denies he inserted it deliberately


Add comment

Spam Kommentare sind sinnlos denn sie werden nicht publiziert. Sie werden vor der Publizierung auf Spam geprüft. Deshalb kann es aber etwas dauern bis ein Kommentar sichtbar wird.
Die eMail ist optional und nicht öffentlich sichtbar Sie wird u.U. genutzt um offline zu kommunizieren

Spam comments are useless because they will not be published. Before they are published they are checked for spam. Therefore it may take some time until the comment is published.
eMail is optional and hidden and may be used to contact you offline