Important News:SafeLogic's CryptoComply Achieves FIPS 140-3 Validation for 28 OEs and Receives Certificate #4781! Read the blog post!
The SafeLogic Blog
The Upside of the Heartbleed Bug
May 28, 2014 •Walt Paley
Heartbleed was huge. Massive. A giant, gaping hole that was able to be exploited in several ways and somehow was unnoticed for over two years. It was an embarrassment, a black eye for the OpenSSL Foundation and really all who use OpenSSL for encryption... which is the majority of the Internet, and most of the world's internal sites and apps as well.
The first confirmed data losses due to the Heartbleed Bug were on April 14th, when the Canadian Revenue Service lost 900 social insurance numbers (the equivalent of a Social Security Number) in six hours to a determined college student. Bad? Yes. But destructive at the worldwide level that we believed possible? Not even close.
So here's my point. Heartbleed had a big, fat, silver lining. In the span of a few days, millions of administrators reset their private keys and reissued their SSL certificates. We have confirmed very little actual harm caused by the vulnerability, and we have documented millions of websites and apps applying patches, updating their software, resetting their private keys and reissuing certificates. If only we could inspire this type of prophylactic activity on a regular basis. It's like pulling teeth to get users to reset passwords, but one well-publicized breach and folks are clamoring for it. Many consumers are being proactive and using tools to specifically avoid unpatched websites. These are steps in the right direction.
Don't get me wrong. I won't be wishing for another Heartbleed. We have our hands full as it is with the eBays and Targets of the world. But I'm absolutely certain that there will be another bug... probably worse/bigger/more widespread/more exploited/etc than Heartbleed, and it will be exposed in the fairly near future. Such is life in this industry. The 'next big thing' always includes the raised stakes inherent in our bigger Big Data, our faster connectivity, and our multiplying endpoints. Luckily, we are making leaps forward every time we are faced with these threats, and we have very very very smart folks on our side.
My bigger concern had been that we will become jaded and tuned out to the dangers. Target and eBay dropped the ball on their crisis responses, but banks and credit card companies responded swiftly and effectively. Anecdotally, I have talked to a lot of people who were prompt to reset personal passwords and treat their identity protection with the proper level of respect and attention that it deserves. The strong performance of site administrators and product architects worldwide in their response to Heartbleed has shown me that we have many reasons to be optimistic. Here at SafeLogic, we had patches rolling out within hours of the announcement, and we were not alone. As we approach the tipping point toward the Internet of Things, our vigilance must remain strong, and the industry's unified response to Heartbleed has actually helped me sleep better at night.
Walt Paley
Walter Paley is the VP of Communications for SafeLogic. He is responsible for strategy, content, marketing, and outreach. Walt has worked with a series of start-ups and companies in growth stages, including Nukona (acquired by Symantec), Qubole, Bitzer Mobile (acquired by Oracle), and TigerText, among others. An Alumnus of the psychology program at UC San Diego, Walt lives in Southern California with his wife, kids, and their black lab, Echo.
Popular Posts
Search for posts
Tags
- FIPS 140 (111)
- FIPS validation (85)
- Encryption (70)
- cryptography (68)
- NIST (62)
- CryptoComply (60)
- SafeLogic (58)
- Industry News (54)
- cryptographic module (51)
- Conversations (49)
- CMVP (48)
- RapidCert (46)
- compliance (41)
- Ray Potter (33)
- SafeLogic News (33)
- Event (27)
- federal (27)
- CAVP (23)
- Cybersecurity (23)
- FIPS 140-3 (18)
- OpenSSL (16)
- government (14)
- FedRAMP (13)
- CryptoCompact (12)
- Cryptology (12)
- DoD (12)
- RSA (12)
- healthcare (12)
- partners (12)
- NSA (11)
- post-quantum cryptography (11)
- Cloud (9)
- PQC (9)
- security (9)
- CMMC (8)
- Suite B (8)
- testing (8)
- whitepaper (8)
- Approved Products List (APL) (6)
- HITECH (6)
- ICMC (6)
- lab (6)
- CEO (5)
- NIST 800-171 (5)
- NIST 800-53 (5)
- OpenSSL 3.0 (5)
- iOS (5)
- procurement (5)
- C3PAO (4)
- Common Criteria (4)
- HITECH Act (4)
- deadline (4)
- encrypt (4)
- innovation (4)
- procure (4)
- public sector (4)
- Air Force (3)
- BSAFE (3)
- DFARS (3)
- HIPAA Safe Harbor (3)
- HITECH Safe Harbor (3)
- OpenSSL 1.1.1 (3)
- OpenSSL 3.x (3)
- POA&M (3)
- TLS 1.3 (3)
- magazine (3)
- queue (3)
- transition (3)
- 3PAO (2)
- ACVP (2)
- BAA (2)
- CIO (2)
- CSP (2)
- Cyber Defense Magazine (2)
- Defense Industrial Base (2)
- HIPAA security controls (2)
- Historical Status (2)
- MFA (2)
- OpenSSL 1.0.2 (2)
- SPRS (2)
- StateRAMP (2)
- entropy (2)
- excellence (2)
- finance (2)
- founder (2)
- gold (2)
- leader (2)
- maturity (2)
- overlap (2)
- pilot (2)
- rsa conference (2)
- solution (2)
- sponsors (2)
- sunset (2)
- vendor (2)
- year (2)
- Active Status (1)
- Alliance for Digital Innovation (1)
- Android (1)
- CIO Prime Views (1)
- DHS (1)
- DIU (1)
- DIUx (1)
- DOJ (1)
- DoDIN APL (1)
- Entropy Source Validation (1)
- FCA (1)
- FIPS Compliance (1)
- FISMA (1)
- GSA (1)
- HITRUST (1)
- Matt Cornelius (1)
- Matthew Cornelius (1)
- Maturity Model (1)
- NCCoE (1)
- OMB (1)
- SLED (1)
- SP800-131A (1)
- SP800-90A (1)
- TLS 1.1 (1)
- background (1)
- best (1)
- co-founder (1)
- codies (1)
- congress (1)
- cybertech (1)
- education (1)
- elliptic curve cryptography (1)
- extended (1)
- faq (1)
- fintech (1)
- fiscal (1)
- fiscal year (1)
- fraud (1)
- globee (1)
- hill (1)
- interview (1)
- kratos (1)
- libgcrypt (1)
- national cybersecurity strategy (1)
- opportunities (1)
- parallel (1)
- profile (1)
- public (1)
- representatives (1)
- reseller (1)
- senate (1)
- senators (1)
- simplify (1)
- state (1)
- stealth mode (1)
- story (1)
- terminology (1)
- trophy (1)
- whistleblower (1)
- whistleblowing (1)