Heartbleed Bug Shows Which Companies Really Care About Security

  • 20 April 2014
  • 0 replies
  • 1473 views

Userlevel 7
Badge +52
The critical OpenSSL vulnerability, known as the Heartbleed bug, is said to have impacted two thirds of the websites that use SSL to secure their customers’ communications. While many organizations have patched their installations by now, a lot of users’ data has been at risk because of the flaw.

The Heartlbleed bug was discovered by a Google security expert sometime in March. Its existence was made public on April 7. Some companies, such as CloudFlare, Facebook and some Linux distributions, learned of its existence before that, and they quickly rolled out fixes.

On April 7, OpenSSL released version 1.0.1g allowing all companies to secure their websites. However, it took some of them a lot of time to apply the fix.

Considering that Heartbleed made a lot of headlines all over the world, you’d expect every company to install the latest version of OpenSSL quickly, if not to protect users, at least to brag about it in an effort to boost their reputation. 

Shortly after the world learned of the vulnerability, experts started publishing lists of the affected services. Exploits were also published online soon after. While initially some doubted that private SSL keys could be obtained by exploiting Heartbleed, researchers quickly demonstrated that it was possible. 

Unsurprisingly, some organizations have started admitting to their customers that their information might have been stolen by cybercriminals exploiting the Heartbleed bug. 

There are rumors that some entities might have known about the existence of Heartbleed for a long time, including the National Security Agency (NSA), which is said to have known about it for two years. The NSA has denied the accusations, but there could be some who really knew about the OpenSSL flaw for a long time. 
 
Full Article

0 replies

Be the first to reply!

Reply