Heartbleed—it’s just about as scary as it sounds. This nasty little bug can reveal private data like usernames, passwords and credit card numbers and has affected major sites like Facebook, Tumblr, Google, Gmail, Amazon, GoDaddy and Dropbox, to name a few. After being exposed on Monday, it has even spurred a pre-emptive shutdown of some government services, in order to mitigate potential damage.
According to Christina Warren, Senior Tech Analyst at Mashable, “Heartbleed has the potential to be one of the biggest, most widespread vulnerabilities in the history of the modern web”.
Warren goes on to say Heartbleed is a technical problem, affecting OpenSSL, a software used to encrypt a large amount of web communications. Because of the technical nature of the bug, it’s hard for everyday non-techies to understand the issue and protect themselves. The actual battle against Heartbleed lies at the back end, with the person managing affected web services.
But here’s the really scary part: Because OpenSSL is so ubiquitous, and thus far Heartbleed has proven impossible to detect, it’s still unknown just how bad the damage is.
According to Symantec, one of the leading vendors in the Global Email Encryption Market (which is growing at a CAGR of more than 21 percent from 2014-2018), “approximately 66% of the Internet or two-thirds of web servers (according to Netcraft Web server report ) could be using this software.”
That’s a staggering amount of vulnerable information.
“As bad as that is, the worst part is that this vulnerability has actually been around since December 2011,” writes Warren in a recent Mashable article.
“Lots of software packages started using the vulnerable version of OpenSSL in May 2012. So for two years, any app, website, bank or private messaging app that uses OpenSSL has been vulnerable to this bug.”
Techsperts across the web are citing Heartbleed as an example of the fragility of the web, a “trivial error” with catastrophic effects.
In a statement released on the company website, Symantec rushed to reassure customers that they are doing all they can to deal with the threat.
“As the world’s leading Certification Authority, Symantec has already taken steps to strengthen our systems. Our roots are not at risk; however, we are following best practices and have re-keyed all certificates on web servers that have the affected versions of OpenSSL.”
While Symantec’s statement appeared on their website proper, McAfee, the second leading vendor in the market, seemed to be keeping mum on the issue. However, in company message boards, they released the following:
“McAfee is identifying those products impacted by the vulnerable OpenSSL versions and updating them to a remediated OpenSSL version. A consolidated Security Bulletin will be published on the McAfee Knowledge Center and list all affected products. This document will be updated daily as new hot fixes and patches are posted for customer download.”
This was followed by an SNS message notifying administrators that a vulnerability in their SIEM (Security Information Event Management) has been identified and resolved.
All of this has still left everyday users in the lurch. The most frustrating part of it is, if you’re not an administrator, all you can do to cope with Heartbleed is change passwords, cross your fingers and hope for the best.
For more insights from TechNavio, view our report on the Global Email Encryption Market 2014-2018 report.
