As word spread this week about the dreaded “Heartbleed” bug, consumers and Websites struggled to understand the implications and sort through some of the more apocalyptic pronouncements being made about the problem.
Consumers started to receive a trickle of notices from services they use online alerting them to potential issues and recommended steps, such as changing passwords. But given the scope of the issue, security experts projected that it could take years to sew up all the holes created by the Heartbleed bug.
“This is one of the worst security issues we’ve seen in the last decade and will remain within the top 5 for many years to come,” said Adam Ely, founder and chief operating officer of Bluebox Security.
Added Jeff Forristal, Bluebox chief technical officer: “OpenSSL is extremely pervasive on all manners of devices, systems and servers. It is going to take the ecosystem significant time to get everything updated, and we will be looking at a long tail situation that could easily extend into years.”
OpenSSL is a technology used to provide encryption of an estimated 66% of all servers on the public Internet. It’s an open source code that is developed and maintained by a community of developers, rather than by a single company.
The “Heartbleed” bug was discovered separately last week by Neel Mehta, a security researcher at Google, and a team of security engineers at Codenomicon, a security website that has since created a website with information about Heartbleed.
It appears the bug was introduced into OpenSSL by a simple programming mistake that then got pushed out as websites around the world updated the version of OpenSSL they were running.
An updated version of OpenSSL has been issued, and sites can use that to fix the bug. In addition to updating OpenSSL, sites will need to update many pieces of their security protocols known as keys and certificates that help them confirm the identity of users.
Click here to continue reading…
SOURCE: Chris O’Brien
The Los Angeles Times