Comments
The Internet will become relatively free of the ‘Heartbleed’ bug, the web’s biggest security threat in the recent past, within the next ‘few weeks’. However, its ramifications would be felt for the next 2-3 years, according to a top official with the Finnish security firm credited with discovering the bug.
“Vast majority of the Internet would be upgraded and fixed in the next couple of weeks. However, we would be hearing about Heartbleed for the next two years or so, as people are slow to patch even if patched versions are available,” said David Chartier, Chief Executive Officer of Codenomicon.
Founded in 2001, Codenomicon is a cyber security company that develops testing tools for manufacturers, service providers and enterprise customers. It discovered Heartbleed — originally known as CVE-2014-0160 — during a routine test of its software. The researchers pretended to be outside hackers and attacked the firm’s online infrastructure to test its resilience. The same day, the bug was discovered by a Google Researcher.
“Sometimes it can take years for everybody to get the upgrade,” Chartier told Business Line over the telephone from Codenomicon’s office in San Franciso.
Heartbleed affects a commonly used piece of software called OpenSSL, which is the key to security encryption on many web servers. With OpenSSL, websites can provide encrypted information to visitors, so the data transferred (including usernames, passwords and cookies) cannot be seen by others while it goes from the users’ device to the website.
The version 1.0.1 of OpenSSL, released on April 19, 2012, contains a hidden vulnerability (a mistake unknowingly introduced by a programmer) that allows hackers to retrieve information from the memory of the web server without leaving a trace.
“Heartbleed is the perfect bug for the bad guys. Nobody will ever come to know whether it has been exploited unless somebody comes forward and says they have done so,” said Chartier.
Incidentally, Codenomicon has an office in New Delhi, and employs seven in the country.
Following the discovery, Codenomicon purchased the heartbleed.com domain from where it has been publishing information about the security flaw. As per estimates, about 7.5 lakh web servers are running OpenSSl.
“As on last Friday, about 1.2 lakh web servers were vulnerable. Thankfully, all the top-tier players on the internet moved quickly to update. We envisage that there are less than 1 lakh vulnerable websites currently,” said Chartier.
He, however, did not name the Indian websites that were vulnerable.
Comments
COMMENT NOW
Comments
Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.
We have migrated to a new commenting platform. If you are already a registered user of TheHindu Businessline and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.