Avivah Litan

A member of the Gartner Blog Network

Avivah Litan
VP Distinguished Analyst
12 years at Gartner
30 years IT industry

Avivah Litan is a Vice President and Distinguished Analyst in Gartner Research. Her area of expertise includes financial fraud, authentication, access management, identity proofing, identity theft, fraud detection and prevention applications…Read Full Bio

Coverage Areas:

Open SSL Heartbleed vulnerability affects much more than just websites

by Avivah Litan  |  April 9, 2014  |  6 Comments

As we all know by now, this is mega-serious and affects all users of Open SSL 1.0.1 through 1.01.f – so those who kept their Open SSL code up to date were in effect penalized.

For information on the vulnerability, see kb.cert.org

I’m just trying to understand why all the news reports are focused on individual communications with websites. SSL protocols, including Open SSL, are used in most ‘trusted’ machine to machine communications. This bug affects routers, switches, operating systems and other applications that support the protocol in order to authenticate senders and receivers and to encrypt their communications.

See list of affected companies here kb.cert.com

What this means is any trusted communications traffic using this protocol is ultimately not trustworthy – it goes way beyond individuals’ ‘handshakes’ and communications with websites. Forget having to plant back doors in encryption libraries, as the NSA allegedly did. The backdoors are already built in. So criminals and other naysayers can essentially eavesdrop on any sensitive communications using Open SSL 1.0.1 such as payment processing, file sharing and more, (although as my colleague Erik Heidt pointed out – this would require a compound attack since Heartbleed enables an attacker to recover anything being processed in memory on the server – rather than a direct attack against in-transit communications).

We’ve all been acclimated to the fact that our sensitive data is no longer well protected while it is at rest. We’ve also learned over the years that retailers, financial services companies, ecommerce providers and others who accept our sensitive transactions can’t always stay ahead of criminal exploits that steal the information.

Now we need to get used to the fact that we can’t trust some of the implementations of the protocols that secure data in transit over public and private internet networks. Until now that was the one area that looked relatively safe, at least to me.

6 Comments »

Category: Uncategorized     Tags:

6 responses so far ↓

  • 1 Open SSL Heartbleed vulnerability affects much more than just websites | All that All   April 9, 2014 at 4:36 pm

    [...] By Avivah Litan [...]

  • 2 Open SSL Heartbleed vulnerability affects much more than just websites | Euler Global Consulting   April 9, 2014 at 4:45 pm

    [...] By Avivah Litan [...]

  • 3 Open SSL Heartbleed vulnerability affects much more than just websites : 6config: Le blog   April 9, 2014 at 5:01 pm

    [...] By Avivah Litan [...]

  • 4 Jeremy Landauer   April 10, 2014 at 7:18 pm

    Thank you Avivah for raising my awareness.

    I guess I hadn’t delved into this as deeply as I should have. Now I see that just about everything on my network is hit in one way or another.

    It isn’t just the servers and the devices though, it is also the client software that will need to be updated.

    What a mess!

    I’m starting to believe truly secure computing is a myth in this day and age.

    Anyways, thank you for the information!

  • 5 Mohd Suhaizal MK   April 10, 2014 at 9:33 pm

    “Now we need to get used to the fact that we can’t trust the protocols that secure data in transit over public and private internet networks.”

    I believe this statement must be corrected as it is not the protocol causing the vulnerability, but the implementation. Systems affected are only those upgraded to OpenSSL 1.0.1-1.0.1f, the 1.0.0 and 0.9.8 versions are not affected.

    As an analyst whose writing will be taken seriously by others, I strongly believe that the analysis should be complete (if not deeply thorough), rather than quickly jumping to conclusions and claiming fame. Differentiate between the implementation and the protocol specifications.

    Nevertheless, good article as it explains that not only web applications/systems are affected.

  • 6 Avivah Litan   April 10, 2014 at 10:03 pm

    You are right. It is the implementation – not the protocol. I corrected the imprecise statement to now say “Now we need to get used to the fact that we can’t trust some of the implementations of the protocols that secure data in transit over public and private internet networks.”