5 no-bull facts you need to know about Heartbleed right now

Here's the most crucial info about the OpenSSL bug that affects almost two-thirds of sites on the Internet

1 2 Page 2
Page 2 of 2

4. It's going to be difficult to find out what's been stolen

Because the bug allows for the arbitrary dumping of memory from a server, finding out what, if anything, might have been filched from a vulnerable server is going to be tough without detailed audits of network logs -- assuming they even exist.

The most proactive route would be to assume anything sensitive that might have been dumped has been dumped and to set about changing anything that can be changed. Again, that's a massive undertaking for most organizations, so it makes sense to change the most immediate, sensitive items first: user passwords, certificates and keys if possible, and then on down the line.

Mashable has been keeping a list of popular sites where you might need to change your password as an additional security measure. Note that such a move is only likely to protect you so much if a thief made off with an SSL session key or an item not explicitly protected by a user's password. Still, it's not a bad idea to rotate passwords on affected sites.

5. It's not a good sign for our unquestioning reliance on unaudited open source code

Much of the criticism about the bug has revolved around how it apparently emerged as a by-product of OpenSSL's convoluted codebase, maintained by a small and rather insular team. Green notes that the bug was originally introduced back in December 2011, through an extremely trivial oversight.

That's bad enough, but also disturbing is how Heartbleed remained undetected by the major concerns using OpenSSL. For example, Facebook and Google were both affected by Heartbleed, but neither appear to have been proactively auditing OpenSSL's code -- not even after they made moves to switch their public-facing services over to SSL by default in the wake of the Snowden revelations. Various ironies abound because of this: As it turns out, sites built on Microsoft Windows Server and IIS -- closed source products -- are not vulnerable to this bug.

We're quick to depend on projects like OpenSSL for critical infrastructure, but we're not as quick to ensure they are what they say they are. Finding a more consistent way to do that -- not just in any one given company, but industry-wide -- seems like a mission worth taking up.

This article, "5 no-bull facts you need to know about Heartbleed right now," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow InfoWorld.com on Twitter.

Copyright © 2014 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
InfoWorld Technology of the Year Awards 2023. Now open for entries!