Heartbleed Security Vulnerability Affects All

April 8th 2014: Heartbleed has been labelled as “Catastrophic - on the scale of 1 to 10, this is an 11” Bruce Schneier

As we have just witnessed with the recent Heartbleed OpenSSL security vulnerability, the computing industry has increasingly come to rely upon shared source code. In this case the OpenSSL code has been reused within many products and service offerings; from appliance-based application content controllers to mainstream cloud service offerings used to establish foundational capabilities such as Google or Amazon Web Services. With interoperability between highly complex systems now the standard, software has grown in complexity and must be maintained adequately.  This reinforces the need for good open-source versus closed software development models.

What is the security risk? The Heartbleed OpenSSL bug allows anyone on the Internet to read the memory of systems using vulnerable versions of OpenSSL software. This would expose the secret keys used to identify service providers and encrypt network traffic, or compromise of user names and passwords. This exposure then allows attackers to eavesdrop on network communications, steal data directly from the services and users and to impersonate services and users.

You can verify if your web site, or any other Internet sites, are vulnerable at this site: https://filippo.io/Heartbleed/

Industry Response: In response to this security issue, the Linux Foundation has been supported by leading Technology industry companies who are funding a multi-million dollar initiative to expedite open source projects that are in the critical path for core computing functions. Known as the Core Infrastructure Initiative, the funds will be administered by the Linux Foundation and a steering group comprised of backers of the project as well as key open source developers and other industry stakeholders. The first project will be the remediation of Open SSL.

This rapid and collaborative response by some of the world’s leading technology companies is perhaps the industry harking back to earlier times when Eric Raymond posited that "given enough eyeballs, all bugs are shallow" in his essay The Cathedral and the Bazaar (1997).