Heartbleed SSL Flaw Angst Aggravated by Broken Disclosure Process
NEWS ANALYSIS: The decade's most serious security issue was packaged and branded, but many server administrators and service providers were left in the dark.The Heartbleed encryption vulnerability is perhaps the most serious Internet security flaw in recent memory, affecting hundreds of millions of people. The Heartbleed flaw is found within OpenSSL, an open-source cryptographic library used for the Secure Sockets Layer (SSL), which is widely deployed on Linux servers and Internet infrastructure around the world. What is perhaps not as well-known in the media circus surrounding the Heartbleed issue is how this critical security issue has been packaged and branded from day one. Unfortunately, it is also a flaw that suffered from a broken disclosure process that only served to add further fuel and anxiety to the security risk. On April 7, the original OpenSSL advisory was first issued, which did not refer to the flaw as "Heartbleed," but rather as a "Heartbeat" flaw in OpenSSL. Heartbeat refers to the technical monitoring function that the feature provides within OpenSSL. The name Heartbleed, as well as the well-designed logo that has been reused in countless media reports, is the creation of security research firm Codenomicon. Along with Google security researchers, Codenomicon is taking credit for the initial discovery of the Heartbleed flaw.
The Heartbleed icon was created in-house by a Codenomicon designer Hope Frank, the firm's chief marketing officer, told eWEEK. Codenomicon also registered the domain heartbleed.com on April 5, which has served as a key resource to disseminate information about the security issue.
"In what we would consider to be one of the worst vulnerabilities that has been discovered in the modern Internet, I felt like the way the whole disclosure was handled was absolutely atrocious," John Edgar, chief technology evangelist at DigitalOcean, told eWEEK.
Although it's difficult to deal with sensitive security disclosures, more effort and broader dissemination could have been made to include and protect Internet services, Edgar said. "From my perspective, it really feels like this Finnish security firm [Codenomicon] played Heartbleed as a marketing and PR play in the name of security," Edgar said. "That's a shame and will likely encourage other people to do the same." Codenomicon has a different opinion on how the disclosure process was handled. Ari Takanen, chief research officer at Codenomicon, told eWEEK that his team found the Heartbleed bug while improving the SafeGuard feature in Codenomicon's Defensics security testing tools. The SafeGuard feature of the Codenomicon's Defensics security test tools automatically tests a target system for weaknesses that compromise integrity, privacy or safety, he said. Once Codenomicon discovered the Heartbleed bug, it was reported to the National Cyber Security Centre in Finland (NCSC-FI) for vulnerability coordination and reporting to the OpenSSL team. "Within hours of discovery, we contacted NCSC-FI to handle the vulnerability coordination," Takanen said. "We wrote a Q&A to support the vulnerability coordination when reaching out to the vendors and service providers; much faster than expected, others went public with the bug, and we felt that the Q&A could help the public as well." DigitalOcean's Edgar noted that he understands it's not possible to get the whole Internet under an NDA to inform all parties in advance about security issues. However, Edgar said he felt really bad for all the server administrators at vendors and service providers, including his competitor Amazon AWS, that had to rapidly scramble to address the Heartbleed issue. "I feel bad for everyone that had to scramble to [make fixes] after the advisory went out, and that's the point, we shouldn't be left scrambling in situations like this; it was unfair and really poorly handled," Edgar said. Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.