Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cloud
    • Cloud
    • Cybersecurity
    • Networking

    Heartbleed SSL Flaw Angst Aggravated by Broken Disclosure Process

    By
    Sean Michael Kerner
    -
    April 11, 2014
    Share
    Facebook
    Twitter
    Linkedin
      Heartbleed

      The Heartbleed encryption vulnerability is perhaps the most serious Internet security flaw in recent memory, affecting hundreds of millions of people. The Heartbleed flaw is found within OpenSSL, an open-source cryptographic library used for the Secure Sockets Layer (SSL), which is widely deployed on Linux servers and Internet infrastructure around the world.

      What is perhaps not as well-known in the media circus surrounding the Heartbleed issue is how this critical security issue has been packaged and branded from day one. Unfortunately, it is also a flaw that suffered from a broken disclosure process that only served to add further fuel and anxiety to the security risk.

      On April 7, the original OpenSSL advisory was first issued, which did not refer to the flaw as “Heartbleed,” but rather as a “Heartbeat” flaw in OpenSSL. Heartbeat refers to the technical monitoring function that the feature provides within OpenSSL.

      The name Heartbleed, as well as the well-designed logo that has been reused in countless media reports, is the creation of security research firm Codenomicon. Along with Google security researchers, Codenomicon is taking credit for the initial discovery of the Heartbleed flaw.

      The Heartbleed icon was created in-house by a Codenomicon designer Hope Frank, the firm’s chief marketing officer, told eWEEK. Codenomicon also registered the domain heartbleed.com on April 5, which has served as a key resource to disseminate information about the security issue.

      “Our intent was never to market, [but] rather to inform, educate and advise,” Frank said. “This is why we decided to post our internal Heartbleed content and created the Website. The domain happened to be available. “

      Codenomicon wanted to use its findings to educate those who required the information quickly Frank said, adding that the information was posted after OpenSSL.org discovered the flaw.

      The Disclosure Process

      The whole disclosure process behind the Heartbleed flaw is also the subject of much scrutiny and interest. Typically, in an open-source security disclosure scenario, there is some form of nondisclosure agreement (NDA) based information that is released on a closed vendor security community list. The general idea is that by working together, multiple vendors and services can all have patches ready to go when a public advisory is made.

      That didn’t happen with Heartbleed.

      Google and cloud security vendor CloudFlare were among a very small group that somehow got early access to the flaw and were able to be patched on April 7 prior to the public advisory from OpenSSL.

      CloudFlare CEO Matthew Prince told eWEEK that his firm was in fact notified early last week by researchers involved in discovering the bug.

      Other vendors and Web services, including cloud vendors, however, did not apparently get the same message. Cloud services vendor DigitalOcean is among those that was left scrambling on April 7 to patch servers.
      “In what we would consider to be one of the worst vulnerabilities that has been discovered in the modern Internet, I felt like the way the whole disclosure was handled was absolutely atrocious,” John Edgar, chief technology evangelist at DigitalOcean, told eWEEK.
      Although it’s difficult to deal with sensitive security disclosures, more effort and broader dissemination could have been made to include and protect Internet services, Edgar said.

      “From my perspective, it really feels like this Finnish security firm [Codenomicon] played Heartbleed as a marketing and PR play in the name of security,” Edgar said. “That’s a shame and will likely encourage other people to do the same.”

      Codenomicon has a different opinion on how the disclosure process was handled. Ari Takanen, chief research officer at Codenomicon, told eWEEK that his team found the Heartbleed bug while improving the SafeGuard feature in Codenomicon’s Defensics security testing tools. The SafeGuard feature of the Codenomicon’s Defensics security test tools automatically tests a target system for weaknesses that compromise integrity, privacy or safety, he said.

      Once Codenomicon discovered the Heartbleed bug, it was reported to the National Cyber Security Centre in Finland (NCSC-FI) for vulnerability coordination and reporting to the OpenSSL team.

      “Within hours of discovery, we contacted NCSC-FI to handle the vulnerability coordination,” Takanen said. “We wrote a Q&A to support the vulnerability coordination when reaching out to the vendors and service providers; much faster than expected, others went public with the bug, and we felt that the Q&A could help the public as well.”

      DigitalOcean’s Edgar noted that he understands it’s not possible to get the whole Internet under an NDA to inform all parties in advance about security issues. However, Edgar said he felt really bad for all the server administrators at vendors and service providers, including his competitor Amazon AWS, that had to rapidly scramble to address the Heartbleed issue.

      “I feel bad for everyone that had to scramble to [make fixes] after the advisory went out, and that’s the point, we shouldn’t be left scrambling in situations like this; it was unfair and really poorly handled,” Edgar said.

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×