Heartbleed SSL Flaw Angst Aggravated by Broken Disclosure Process

NEWS ANALYSIS: The decade's most serious security issue was packaged and branded, but many server administrators and service providers were left in the dark.


The Heartbleed encryption vulnerability is perhaps the most serious Internet security flaw in recent memory, affecting hundreds of millions of people. The Heartbleed flaw is found within OpenSSL, an open-source cryptographic library used for the Secure Sockets Layer (SSL), which is widely deployed on Linux servers and Internet infrastructure around the world.

What is perhaps not as well-known in the media circus surrounding the Heartbleed issue is how this critical security issue has been packaged and branded from day one. Unfortunately, it is also a flaw that suffered from a broken disclosure process that only served to add further fuel and anxiety to the security risk.

On April 7, the original OpenSSL advisory was first issued, which did not refer to the flaw as "Heartbleed," but rather as a "Heartbeat" flaw in OpenSSL. Heartbeat refers to the technical monitoring function that the feature provides within OpenSSL.

The name Heartbleed, as well as the well-designed logo that has been reused in countless media reports, is the creation of security research firm Codenomicon. Along with Google security researchers, Codenomicon is taking credit for the initial discovery of the Heartbleed flaw.

The Heartbleed icon was created in-house by a Codenomicon designer Hope Frank, the firm's chief marketing officer, told eWEEK. Codenomicon also registered the domain heartbleed.com on April 5, which has served as a key resource to disseminate information about the security issue.

"Our intent was never to market, [but] rather to inform, educate and advise," Frank said. "This is why we decided to post our internal Heartbleed content and created the Website. The domain happened to be available. "

Codenomicon wanted to use its findings to educate those who required the information quickly Frank said, adding that the information was posted after OpenSSL.org discovered the flaw.

The Disclosure Process

The whole disclosure process behind the Heartbleed flaw is also the subject of much scrutiny and interest. Typically, in an open-source security disclosure scenario, there is some form of nondisclosure agreement (NDA) based information that is released on a closed vendor security community list. The general idea is that by working together, multiple vendors and services can all have patches ready to go when a public advisory is made.

That didn't happen with Heartbleed.

Google and cloud security vendor CloudFlare were among a very small group that somehow got early access to the flaw and were able to be patched on April 7 prior to the public advisory from OpenSSL.

CloudFlare CEO Matthew Prince told eWEEK that his firm was in fact notified early last week by researchers involved in discovering the bug.

Other vendors and Web services, including cloud vendors, however, did not apparently get the same message. Cloud services vendor DigitalOcean is among those that was left scrambling on April 7 to patch servers.
"In what we would consider to be one of the worst vulnerabilities that has been discovered in the modern Internet, I felt like the way the whole disclosure was handled was absolutely atrocious," John Edgar, chief technology evangelist at DigitalOcean, told eWEEK.
Although it's difficult to deal with sensitive security disclosures, more effort and broader dissemination could have been made to include and protect Internet services, Edgar said.

"From my perspective, it really feels like this Finnish security firm [Codenomicon] played Heartbleed as a marketing and PR play in the name of security," Edgar said. "That's a shame and will likely encourage other people to do the same."

Codenomicon has a different opinion on how the disclosure process was handled. Ari Takanen, chief research officer at Codenomicon, told eWEEK that his team found the Heartbleed bug while improving the SafeGuard feature in Codenomicon's Defensics security testing tools. The SafeGuard feature of the Codenomicon's Defensics security test tools automatically tests a target system for weaknesses that compromise integrity, privacy or safety, he said.

Once Codenomicon discovered the Heartbleed bug, it was reported to the National Cyber Security Centre in Finland (NCSC-FI) for vulnerability coordination and reporting to the OpenSSL team.

"Within hours of discovery, we contacted NCSC-FI to handle the vulnerability coordination," Takanen said. "We wrote a Q&A to support the vulnerability coordination when reaching out to the vendors and service providers; much faster than expected, others went public with the bug, and we felt that the Q&A could help the public as well."

DigitalOcean's Edgar noted that he understands it's not possible to get the whole Internet under an NDA to inform all parties in advance about security issues. However, Edgar said he felt really bad for all the server administrators at vendors and service providers, including his competitor Amazon AWS, that had to rapidly scramble to address the Heartbleed issue.

"I feel bad for everyone that had to scramble to [make fixes] after the advisory went out, and that's the point, we shouldn't be left scrambling in situations like this; it was unfair and really poorly handled," Edgar said.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.