Heartbleed is a coding bug in the OpenSSL component, which allows to get the OpenSSL heartbeat to expose sensitive data. There are a lot of reasons to use OpenSource but unfortunately this issue also uncovers a major drawback.

 

It's a coding bug which can be easily be fixed. A commented fix version is available here.

Actually the most severe issues now are

1) Nobody knows whether the private key was already disclosed. So every provider has to create a new private key in order to be on the safe side.

 2) Nobody knows which software uses the buggy OpenSSL version. There are a lot of devices out there which use Linux as their operating system. If they have to provide scurity there is a high chance they use OpenSSL. Linux is also very popular to be used on servers by providers and also in a lot of other products like internet routers. It's just the amount of devices which are a security rsik - given they use OpenSSL.

 3) Just a couple of weeks ago ther was a security flaw detected in AVM/Firtz routers. AVM provided updates very fast and will publish another update regarding this OpenSSL issue very soon.  Will be interesting to see the update policy of other router providers and internet providers.

As an analogy - there exist a lot of frontdoors in houses, which are based on Linux and which tell an intruder the exact details to create a duplicate key. Because nobody knows whether he's already compromized everybody has to replace the doorlock.

 

Links

Forbes: What's Really Scary About Heartbleed

The Sydney Morning Herald: Man who introduced serious 'Heartbleed' security flaw denies he inserted it deliberately

 

Add comment

Spam Kommentare sind sinnlos !
Vor der Publizierung wird jeder Beitrag auf Spam geprüft. Leider dauert es deswegen bis ein Kommentar sichtbar wird. Dafür erhält aber kein Subscriber Spam eMails.
Die eMail ist optional und nicht öffentlich sichtbar. Sie ist notwendig um eMail Benachrichtigungen zu Antworten auf Kommentare zu erhalten und wird u.U. genutzt um offline zu kommunizieren.

Spam comments are useless !
Any comment will be reviewed first and checked for spam. Unfortunately this delays the publishing of comments but will protect subscribers from spam.
eMail is optional and hidden and is required get update notifications for any comments and may be used to contact you offline