Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Subscribe
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Subscribe
    Home Cloud
    • Cloud
    • Cybersecurity
    • Networking

    Heartbleed SSL Flaw’s True Cost Will Take Time to Tally

    Written by

    Sean Michael Kerner
    Published April 19, 2014
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      Ever since news first broke on April 7 about the Heartbleed security vulnerability, IT professionals around the world have been struggling to contain its impact. The Heartbleed crisis will, no doubt, come with a high price tag when the final tally is taken for all the damage it has caused.

      The Heartbleed flaw is technically a security vulnerability in the open-source OpenSSL cryptographic library that provides Secure Sockets Layer (SSL) encryption capabilities. OpenSSL is widely deployed on Linux servers, mobile devices and embedded devices around the world and provides encryption for data in transit. While patches have been available for most major Linux platforms since April 8, some platforms still have not been patched, including Google’s Android 4.1 (Jelly Bean) mobile operating system.

      Although patches have been publicly available for more than week for most server platforms, that doesn’t mean that all of the world’s vulnerable servers and devices that can be patched have, in fact, been patched.

      For example, the Tor privacy network is losing 12 percent of its network this week, due to servers in its network that have not been updated to protect against the Heartbleed flaw. Tor is a network made up of multiple relay servers through which Internet traffic is routed in a bid to try and anonymize the original location of a user. Developers working with the Tor project identified 380 vulnerable nodes on April 16, more than a week after patches for Heartbleed were first made available.

      Heartbleed has cost Tor a nontrivial piece of its network, and in a broader context, it has cost the global Internet community a lot more.

      Quantifying the cost that Heartbleed has inflicted on the world’s IT systems and users is no easy task. Cloud security vendor CloudFlare has attempted to estimate some of the cost.

      One aspect of the Heartbleed flaw is that SSL certificates need to be revoked and then reissued after a server patches for the issue. Given that SSL certificate revocation lists generate bandwidth for a Certificate Authority (CA) provider, CloudFlare CEO Matthew Prince has estimated in a blog post that the cost of revoking SSL certificates through the GlobalSign CA could well incur a bandwidth cost of $400,000. That’s just one cloud vendor, working with one CA.

      The total true cost of Heartbleed is going to include multiple factors. These variables will need to factor into the total cost of Heartbleed equation:

      1. Human Resources: Building Patches. There is the cost across all the various projects and human staff involved to actually build and package OpenSSL.

      2. Human Resources: Implementing Patches. There is likely a cost involved for the time required by individuals and companies to actually execute the required patches.

      3. Human Resources: Scanning for Risk. Not all organizations are properly aware of what is running in their enterprises, and there is likely a staff time cost associated with scanning for servers that are at risk.

      4. Human Resources: Resetting Passwords. Resetting passwords both for server administrators and end users is a time-consuming process.

      5. Certificate Revocation Bandwidth. As CloudFlare noted, the process of revoking and then reissuing SSL certificates can be bandwidth-intensive, and that can be costly.

      6. Stolen Data. So far, the only organization that has publicly reported having data stolen as a result of Heartbleed is the Canada Revenue Agency, but more such reports are likely to follow.

      Take all those inputs together for all the hundreds of millions of end users that have been affected and we’ll have the total cost for Heartbleed.

      To put an actual number on it, given some historical precedence, I think $500 million is a good starting point. Back in 2001, eWEEK reported that the estimated cost of W.32 Nimda worm cleanup would hit $500 million. That was 13 years ago; given inflation, the cost of Heartbleed could be much higher, though the truth is that computing costs on the whole today are cheaper than they were in 2001 and significantly more automated.

      Whatever the final total figure, Heartbleed is a security incident that is like no other in recent memory. Its potential impact is widespread, and it might take weeks, months or even years until the final true cost is ever tallied.

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and writer for several leading IT business web sites.

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×