Slashdot Mirror

← Back to Stories (view on slashdot.org)

Heartbleed One Year Later: Has Anything Changed?

Posted by Soulskill on from the vulnerability-names-have-gotten-a-lot-more-annoying dept.

darthcamaro writes: It was on April 7, 2014 that the CVE-2014-0160 vulnerability titled "TLS heartbeat read overrun" in OpenSSL was first publicly disclosed — but to many its a bug known simply as Heartbleed. A new report from certificate vendor Venafi claims that 76% of organizations are still at risk, though it's a statistic that is contested by other vendors as well as other statistics. Qualys' SSL Pulse claims that only 0.3 percent of sites are still at risk. Whatever the risk is today, the bottom line is that Heartbleed did change the security conversation — but did it change it for the better or the worse? A related article explores how Heartbleed could have been found earlier.

2 of 53 comments (clear)

  1. We really should rethink web encryption. by jellomizer · · Score: 1, Interesting

    I am not a full time systems administrator, but I have setup ssl sights before. And if you don't do it all the time or at least one every 6 months. The process is cumbersome and difficult.
    We have the cert agency otherwise the popular web browsers we'll create alerts stating how much of a horable institution you are for not shilling out cash for a key.
    Then IIS vs Apache vs other browsers have different rules to setup and sometimes it just doest work when you follow the instructions.

    It is a process that should be easier to setup.

    This difficulty is why organizations may not go that route. They can't risk taking there servers down for a day to get their site secure. If the choose the wrong cert company they either spend a ton of money, or risk getting a company not recognized by the web browser. Scaring off users.
    Then you have security updates. Which may break what you have setup.

    I personally think ssl should be enabled by default by the web server, then you send the cert company your key made during the install process. Then they will give you a data set that you add to your configuration to tell the browser to check against that cert location. Then the browser can decide the quality of the cert verifier.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    1. Re:We really should rethink web encryption. by Anonymous Coward · · Score: 3, Interesting

      While upgrading a cert might be easy if you have direct access to the server, many shared hosting providers provide extremely bulky and cumbersome interfaces for managing SSL.

      I don't know how many times I've had to help customers using ancient shared hosting solutions to upgrade SSL certs, and having to plan at least 30 minutes of downtime for the service at hand simply because the CRON the host uses to reload the Apache config only runs every 30 minutes.

      To get back OT: Yes, Heartbleed has changed the way people are looking at security. Before Heartbleed, most people simply slapped SSL on top of whatever they used and called the connection encrypted. Now, I've had customers worried about MITM attacks through open WiFi hotspots, lack regular software updates, and other simple but obvious things that aren't as obvious to most people.