Akamai scoffs humble pie: Heartbleed defence crumbles, new SSL keys for customers

  • 15 April 2014
  • 2 replies
  • 859 views

Userlevel 7

We got this covered ... er, maybe not

By John Leyden, 15 Apr 2014  Akamai has issued new SSL certificates to some of its customers after realising its customized OpenSSL was not immune to the Heartbleed bug as first thought. 
 
Some time ago, the web distribution giant modified the code to the open-source OpenSSL library and rolled the tweaked version out to just its servers: that adjustment changed the way the library allocates memory so that any particularly sensitive data, such as private crypto-keys, is kept well away from general-purpose allocations that can be mined from afar using the Heartbleed bug.
 Akamai thus claimed its customers' private SSL keys were safe from Heartbleed attacks, which work by sifting through a remote machine's memory for secret goodies like passwords and keys. Even so, Akamai still applied the Heartbleed fix to its flavour of OpenSSL just to be safe, as the people who found the bug warned the biz before going public on Monday, 7 April. But, crucially, it didn't feel the need to issue more than a very small number of new SSL private keys.
 
 
Full Article
 
Patches and now the need to issue new keys...makes one wonder as to whether anybody really, really knows what the answer is to this fiasco...but I hope that there is...for all our sakes...GULP

2 replies

Userlevel 7
Badge +56
That was a pretty big fail on their part.  A log of egg on their faces!
Userlevel 7
Enough to make a large omelette...at the very least. ;)

Reply