Gartner Blog Network


Open SSL Heartbleed vulnerability affects much more than just websites

by Avivah Litan  |  April 9, 2014  |  6 Comments

As we all know by now, this is mega-serious and affects all users of Open SSL 1.0.1 through 1.01.f – so those who kept their Open SSL code up to date were in effect penalized.

For information on the vulnerability, see kb.cert.org

I’m just trying to understand why all the news reports are focused on individual communications with websites. SSL protocols, including Open SSL, are used in most ‘trusted’ machine to machine communications. This bug affects routers, switches, operating systems and other applications that support the protocol in order to authenticate senders and receivers and to encrypt their communications.

See list of affected companies here kb.cert.com

What this means is any trusted communications traffic using this protocol is ultimately not trustworthy – it goes way beyond individuals’ ‘handshakes’ and communications with websites. Forget having to plant back doors in encryption libraries, as the NSA allegedly did. The backdoors are already built in. So criminals and other naysayers can essentially eavesdrop on any sensitive communications using Open SSL 1.0.1 such as payment processing, file sharing and more, (although as my colleague Erik Heidt pointed out – this would require a compound attack since Heartbleed enables an attacker to recover anything being processed in memory on the server – rather than a direct attack against in-transit communications).

We’ve all been acclimated to the fact that our sensitive data is no longer well protected while it is at rest. We’ve also learned over the years that retailers, financial services companies, ecommerce providers and others who accept our sensitive transactions can’t always stay ahead of criminal exploits that steal the information.

Now we need to get used to the fact that we can’t trust some of the implementations of the protocols that secure data in transit over public and private internet networks. Until now that was the one area that looked relatively safe, at least to me.

Category: 


Thoughts on Open SSL Heartbleed vulnerability affects much more than just websites


  1. Thank you Avivah for raising my awareness.

    I guess I hadn’t delved into this as deeply as I should have. Now I see that just about everything on my network is hit in one way or another.

    It isn’t just the servers and the devices though, it is also the client software that will need to be updated.

    What a mess!

    I’m starting to believe truly secure computing is a myth in this day and age.

    Anyways, thank you for the information!

  2. Mohd Suhaizal MK says:

    “Now we need to get used to the fact that we can’t trust the protocols that secure data in transit over public and private internet networks.”

    I believe this statement must be corrected as it is not the protocol causing the vulnerability, but the implementation. Systems affected are only those upgraded to OpenSSL 1.0.1-1.0.1f, the 1.0.0 and 0.9.8 versions are not affected.

    As an analyst whose writing will be taken seriously by others, I strongly believe that the analysis should be complete (if not deeply thorough), rather than quickly jumping to conclusions and claiming fame. Differentiate between the implementation and the protocol specifications.

    Nevertheless, good article as it explains that not only web applications/systems are affected.

  3. Avivah Litan says:

    You are right. It is the implementation – not the protocol. I corrected the imprecise statement to now say “Now we need to get used to the fact that we can’t trust some of the implementations of the protocols that secure data in transit over public and private internet networks.”



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.