Akamai has issued new SSL certificates to some of its customers after realising its customized OpenSSL was not immune to the Heartbleed bug as first thought. Some time ago, the web distribution giant modified the code to the open-source OpenSSL library and rolled the tweaked version out to just its servers: that adjustment …

COMMENTS

House rules Send corrections

This topic is closed for new posts.

Tuesday 15th April 2014 17:32 GMT Brewster's Angle Grinder

If they had contributed this patch when they first made it, then someone might have spotted the defect before the heart bleed bug was discovered...

7 0
1. Tuesday 15th April 2014 17:39 GMT frank ly
  
  Ah, but their special secret source made their product taste better. Or, .... not....
  
  3 0
2. Friday 25th April 2014 07:54 GMT Bronek Kozicki
  
  Contributed? Where to? OpenSSL does not take contribution outside of "their own", even critical bugfixes. And especially no security measures.
  
  0 0
Tuesday 15th April 2014 18:46 GMT JaimieV

Er, why?

They clearly knew what the bug was, and had the options (in ascending order of complexity)

a) Disable the heartbeat service, which is basically never used anyway (until last week!)

b) Fix the bug

c) Do something to ensure that important things are always >64kB away from the memory space the server process might be using to respond to hearbeat requests

A config tweak vs a ~three-line fix vs writing a large chunk of control code to mess with memory allocation for certain functions. Which they then got wrong anyway.

1 5
1. Tuesday 15th April 2014 19:47 GMT Anonymous Coward
  
  Re: Er, why?
  
  It's not obvious that they knew of this specific bug - developers were already concerned that OpenSSL's own "secret malloc sauce" was dangerous. Here's OpenSSH's Theo de Raadt gently remonstrating...
  
  http://article.gmane.org/gmane.os.openbsd.misc/211963
  
  But yes, building OpenSSL with heartbeats disabled would have been good - unless of course they tried and found that this conflicted with some other config macro they needed, since most of the combinations weren't being built, let alone tested. Such a minority interest item shouldn't have been enabled by default anyway, especially in a security layer.
  
  8 0
  1. Wednesday 16th April 2014 20:39 GMT Jamie Jones
    
    Re: Er, why?
    
    "It's not obvious that they knew of this specific bug - developers were already concerned that OpenSSL's own "secret malloc sauce" was dangerous. Here's OpenSSH's Theo de Raadt gently remonstrating..."
    
    Arrrrrghhh!
    
    How many times do I need to repeat myself?
    
    To summarise:
    
    This bug is a buffer over-read.
    
    Nothing to do with malloc.
    
    No malloc/calloc/jemalloc/magic-pixies-malloc would have helped.
    
    Yeah, guard pages and canaries could help, but as it stands, so long as the memory being overflowed to still belongs to the process, there won't be any sigsev crash.
    
    0 0
Tuesday 15th April 2014 19:54 GMT Anonymous Coward

For a big outfit Akamai is doing better than feared

How often do we get to see a corp boast in public, get called out on it and then promptly eat that humble pie, discuss their mistake in reasonable technical detail, and set about digging its customers out of the mess? A couple of years back I'd have expected a promptly hurled spurious law suit (DCMA protection device violation, libel, damaging customer confidence, disclosure of trade secrets, freelance subversion...)

Maybe it's the influence of Pwn to Own (etc), or maybe they're both symptoms of an overall change, but it feels like our industry is growing up just a bit.

17 0
1. Wednesday 16th April 2014 08:37 GMT Bronek Kozicki
  
  Re: For a big outfit Akamai is doing better than feared
  
  Also, that is a very nice example of play between corporate and open source, working exactly as intended. Many eyes etc. ... benefiting almost everyone (NSA excluded).
  
  1 0
Tuesday 15th April 2014 20:28 GMT John Smith 19

The more I learn of OpenSSL the more I wonder about the the idea of

"Release a core set of functions, then role out more over time (or prioritize heavily used ones first)"

It seems if they had left the heartbeat message handling till later they might never have done it at all.

0 0
Tuesday 15th April 2014 22:13 GMT Anonymous Coward

Prime example of a lousy open source user - makes improvements to critical widely used software - doesn't bother to feed back into the project. Worse considering how little support openssl seems to have been receiving despite how important it is. Oh well.

1 6
1. Wednesday 16th April 2014 10:08 GMT Hans 1
  
  With freedom comes responsibility.
  
  1 0
Wednesday 16th April 2014 10:49 GMT Swarthy

Huh?

"Nothing against Akamai, but seriously: they held off replacing certs because they thought they were secure? Ugh," said Matthew Green

Umm.. a bit like everyone using OpenSSL then? If you believe you're secure, why would you replace certs that are not threatened?

Full marks to Akamai for acting responsibly when the flaws were pointed out.

1 0
Wednesday 16th April 2014 11:31 GMT Irongut

Could be worse

Better than GIS software maker ESRI. They have issued a statement saying:

"ArcGIS Online – No customer action is required as mitigations have been applied to all service endpoints and certificates are being re-issued across the platform as a precautionary measure."

So they claim to have patched their servers but by 16/04 they still haven't replaced certificates and they are telling customers they don't need to do anything when a password change will be required. The mind boggles at the incompetence of such a large company with so many government and military customers.

1 0
Wednesday 16th April 2014 12:15 GMT Glen Turner 666

What's wrong with this picture, and the general response to Heartbleed? Our servers are running software which may leak your private data. But *we will keep them running*.

In the contest between security and revenue, revenue wins.

0 1
1. Wednesday 16th April 2014 13:13 GMT Tom 13
  
  Re: What's wrong with this picture,
  
  The problem with taking ALL those servers offline to fix the issue is that the ensuing financial chaos would have made the recent banking/mortgage crisis look like a day in the park.
  
  This is the fundamental problem in security: Does fixing the known security issue cause more damage than running with it? If so, how much more?
  
  You need to mitigate, but the mitigation can't be worse than the disease. It's why although problematic, the secret notification people have a valid point about vulnerabilities. And if vendors are being responsible are the first route to take.
  
  0 0