Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Who's to blame for 'catastrophic' Heartbleed Bug?

Ellen Messmer | April 11, 2014
German software engineer steps forward to take blame for OpenSSL mistake, but issue goes wider

Tatu Ylonen, inventor of the SSH protocol and CEO and founder of SSH Communications Security, says about the Heartbleed Bug vulnerability that "an attacker can use it to obtain the encryption keys used by a website, allowing the attacker or spy agency to read all communications. It can practically be used to obtain the server private key used for securing the server and communications to it, essentially breaching the certificates used for protecting the website, which in turn allows decrypting past sessions as well as performing man-in-the-middle attacks (including banking fraud and identity theft) in most cases."

Ylonen says an estimated 66% of  the world's websites run software that uses the vulnerable library, though it's not known what percentage of them use SSL encryption. Not only are the vast majority of the world's most popular websites and social networking sites impacted by Heartbleed, "thousands of commercial applications ship with the vulnerable OpenSSL libraries and are vulnerable," he points out.

The bottom line, Ylonen says, is "enterprises and vendors thus need to check whether their software is vulnerable and take appropriate corrective steps urgently."

Ylonen says it's possible that international intelligence agencies are routinely recording all traffic based on the vulnerability if they haven't done this already. He adds that the "SSH protocol widely used today for system administration is not affected" by the Heartbleed Bug.


Previous Page  1  2  3 

Sign up for Computerworld eNewsletters.