Roland Dobbins, Senior Analyst from Arbor Networks Security Engineering & Response Team (ASERT) comments about the Heartbleed bug; “This is an extremely serious situation, which highlights the manual nature of the tasks required to secure critical Internet services such as basic encryption and privacy protection.
“There are no automated safeguards which can ameliorate these issues. And what most people don’t realise is that if attackers captured packets in the past from vulnerable systems and retained those captured packets, they’ve the opportunity now to use analysis tools to replay those packets and decrypt the Internet traffic contained in those packets.
“In terms of remediation, there’s a huge amount of work which must be done, not only for servers, but for load-balancers, reverse proxies, VPN concentrators, various types of embedded devices, etc. Applications which were statically compiled against vulnerable versions of the underlying OpenSSL libraries must be re-complied; private keys must be invalidated, re-generated, and re-issued; certificates must be invalidated, re-generated, and re-issued – and there are a whole host of problems and operational challenges associated with these vital procedures.
“A key lesson here is that OpenSSL, which is a vital component of the confidentiality and integrity of uncounted systems and applications and sites across the Internet, is an underfunded, volunteer-run project which is desperately in need of major sponsorship and attendant allocation of resources.
“Serious questions have been raised regarding the notification process surrounding this vulnerability. The operational community at large have voiced serious disapproval surrounding the early notification of a single content delivery network (CDN) provider, while operating system vendors and distribution providers, not to mention the governmental and financial sectors, were left in the dark and discovered this issue only after it was publicly disclosed via a marketing-related weblog post by the CDN vendor in question. It has been suggested that the responsible disclosure best practices developed and adopted by the industry over the last decade were in fact bypassed in this case, and concerns have been voiced regarding the propriety and integrity of the disclosure process in this instance.”
