Heartbleed Fallout

Director of Development Operations
Published 4/25/14
Share This Post: 

Share This:

The Heartbleed vulnerability was announced on April 7, 2014, and during that week there was a lot of press coverage and a lot of scrambling by companies, Miles included, to spread the word and patch software to remove the vulnerability. Let's take a look at where everything landed after the initial scramble and see what we can take away from this event.

What is Heartbleed?

Heartbleed is a bug in the OpenSSL encryption library that will, when sent a specific type of request called a heartbeat request, return a 64-kilobyte chunk of server memory for each request. An attacker could make multiple heartbeat requests to get as many chunks of server memory as they wanted and then put that memory together to discover secrets that the server had loaded in memory.

My optimistic view of this incident is that the internet works. A vulnerability was discovered and tested and the necessary software vendors had updated versions of software available immediately when the vulnerability was announced. 

OpenSSL is the encryption library that drives the encryption on almost two-thirds of the internet's sites running over https. One of the secrets everyone is worried could leak are the secret keys used to protect https sites. Should an attacker gain access to those keys they could listen in on (or decrypt) network traffic that should have been secure.

How did Miles respond?

Miles took immediate action to patch all of our servers with an updated version of OpenSSL that fixed the Heartbleed vulnerability. All of our servers were patched by the end of the day on April 8, 2014. We took an additional precautionary step to have all of our SSL certificates (the secret keys used to encrypt sites running on https) re-issued in case any of them had been compromised. We have not seen any evidence that any of our servers or sites were compromised by the Heartbleed vulnerability.

What was the fallout across the internet?

So far there have been no major breaches announced, at least on the "Target Thanksgiving 2013" scale. The most prominent news so far is about the Canada Revenue Agency (Canada's IRS) breach. But, even though most major websites are now protected according to this LA Times story, it is still early and as people are realizing this affects more than just websites. Your home router may also be vulnerable, so we may see more announcements of breeches in the future.

What can we take away from this?

My optimistic view of this incident is that the internet works. A vulnerability was discovered and tested and the necessary software vendors had updated versions of software available immediately when the vulnerability was announced. Systems administrators promptly patched major systems and there was ample communication and documentation about the steps needed to completely immunize a system from this bug.

The internet community has rallied around this issue. Just recently the Core Infrastructure Initiative was created to invest in maintaining and updating the core technologies used on the internet. Also, after the vulnerability was released, Heartbleed was tested, to make sure it was really as serious as initially reported (hint, it is).

There are always going to be bugs small and large and affecting many differently layers of the internet experience, from the website itself to the way you communicate with a server. But the power of the internet that was demonstrated here is the power to iterate and resolve issues quickly. Having the whole world looking at something like this helps to keep everyone informed and accountable, and safe.