Wednesday, April 9, 2014


This bug will probably be taught in Comp Sci classes in years to come and the poor student Robin Seggelmann from T-Systems International who wrote this buffer bounds beauty, earned instant infamy.

It is a terrible, terrible bug - you send a request to a supposedly secure server and it returns up to 64KB of data, which on a busy mail service like Yahoo, could contain multiple user names, passwords and keys in each and every request.

The bad thing is that the heartbeat feature was not necessary.

A thing should be as simple as possible, but no simpler.
-- A. Einstein

T-Systems violated that principle and we are all paying the price.


Give the good IT folks a few days to fix things and then change ALL your passwords everywhere and to preserve your sanity, do install Keepass (Windows), KeepassX (Linux, Mac) or KeepassDroid (Android).

For those worried about Keepass, see this:

Broken windows

The problem is actually not as widespread as feared.  According to Netcraft, while a good 70% of all servers use OpenSSL, about a quarter use Heartbeat, meaning that the total percentage of servers affected by Heartbleed, is under 20%, but for the next few days, you cannot trust anything.

Nevertheless, the broken windows fallacy means that some IT businesses will profit handsomely, especially the certificate vendors, at the expense of everyone else.

My site statistics graph shows that there are still many broken Windows out there too...

Now that many people are starting to look critically at OpenSSL, they are bound to find many other issues.  The OpenBSD contributors already started to scratch at it.  So expect to see a slew of updates over the next few weeks as large numbers of bugs get fixed.  Thanks to the heartbeat bug, OpenSSL should end up being much more secure than it ever was.

Update: OpenBSD announced LibreSSL, their lean and mean fork of OpenSSL.

Who Knew?

The big question is who knew?

In these matters the only certainty is that there is nothing certain. 
 -- Pliny the Elder

Did the NSA, GCHQ, CSE and others know about this bug for the past two years and happily collected logins and keys and does this explain why they could perform Man In The Middle attacks with such apparent ease?

No comments:

Post a Comment

On topic comments are welcome. Junk will be deleted.