Slashdot Mirror

← Back to Stories (view on slashdot.org)

Akamai Reissues All SSL Certificates After Admitting Heartbleed Patch Was Faulty

Posted by samzenpus on from the try-it-again dept.

SpacemanukBEJY.53u (3309653) writes "It took security researcher Willem Pinckaers all of 15 minutes to spot a flaw in code created by Akamai that the company thought shielded most of its users from one of the pernicious aspects of the Heartbleed flaw in OpenSSL. More than a decade ago, Akamai modified parts of OpenSSL it felt were weak related to key storage. Akamai CTO Andy Ellis wrote last week that the modification protected most customers from having their private SSL stolen despite the Heartbleed bug. But on Sunday Ellis wrote Akamai was wrong after Pinckaers found several flaws in the code. Akamai is now reissuing all SSL certificates and keys to its customers."

8 of 56 comments (clear)

  1. They deserve congratulations ... by Alain+Williams · · Score: 5, Insightful

    for having the integrity to admit that they screwed up the first time.

    1. Re:They deserve congratulations ... by rmdingler · · Score: 3, Interesting
      Yes. The corporate opposite of General Motors trying to explain to Congress the years-long lapse in reporting and repairing the ignition problems of millions of vehicles.

      Here's to hoping they are rewarded for their prompt honesty, rather than persecuted, as we certainly need to set some positive precedents for this exact type of conduct.

      --
      Happiness in intelligent people is the rarest thing I know.

      Ernest Hemingway

  2. Re:Do I get this right: by Anonymous Coward · · Score: 3, Informative

    The fact that they are re-issuing certificates clearly indicates that they were open to Heartbleed. They had tried to add another layer of protections to protect against bugs like this (which is honorable), but found that they were insufficient to protect the certificate. I haven't read up on the details, but it is likely that temporary decryption operations exposed enough information so that the ssl key could be regenerated, even if the ssl key itself was protected. Crypto is difficult, and trying to protect against unknown bugs is even harder.

  3. Re:Do I get this right: by ArcadeMan · · Score: 3, Funny

    I'm glad to learn that my toaster is vulnerable to Heartbleed.

    --
    Get free satoshi (Bitcoin) and Dogecoins
  4. Re:Financial Institution Vulnerabilities? by BitZtream · · Score: 3, Insightful

    What is 'verisign' ... I mean, I know of the company named verisign that functions as a root CA, but they don't have magical certs that are safe, they are just like all other certs.

    A quick Google search yields too much about the company, can you point me at what you're referring to so I can clear my ignorance?

    --
    Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
  5. Re:Do I get this right: by gnasher719 · · Score: 3, Insightful

    The fact that they are re-issuing certificates clearly indicates that they were open to Heartbleed.

    That seems to be the US thing, where trying to fix a problem is taken as admission of guilt. (I heard this weird story that US hospitals have a problem if one of their X-ray machines breaks and the replacement is a better model, because anyone examined using the older machines can claim they didn't get the best possible treatment).

  6. Re:Do I get this right: by LordLimecat · · Score: 3, Informative

    IIS is not. It uses schannel, not OpenSSL.

  7. Re:Do I get this right: by ProzacPatient · · Score: 4, Funny

    The Colonial fleet will be pleased to hear that toasters are vulnerable to heartbleed; hopefully it'll give them an edge against the Cylon menace.