FYI Heartbleed fallout: Slowing the web to a crawl

[visionlogic]

Last Friday Web services company CloudFlare issued an open challenge to hackers to see if Heartbleed could be used to do something really dangerous - steal the security certificates of websites. Within hours several participating hackers had accomplished the feat. Now hundreds of thousands of websites will, along with patching the Heartbleed bug itself, have to revoke and reissue their security certificates. Since many browsers download and maintain revocation lists of these certificates these browsers will now have to continually check and re-download the now growing massive, hundreds of megabyte lists.

Full story: Heartbleed is about to get worse, and it will slow the Internet to a crawl

 

[atsak]

More unnecessary hysteria.

 

[magna.vis]

More unnecessary hysteria.

> Implying the hysteria surrounding heartbleed was unnecessary to begin with?

 

[atsak]

It was necessary to patch it immediately if you were a sysadmin, nothing more. Same as every other security risk that's identified monthly.

 

[magna.vis]

I have to disagree, this one was fairly widespread, and potentially presented, in clear text, a large amount of information. I do believe there are varying degrees of severity to vulnerabilities, don't you?

 

[atsak]

Yes, but the public at large was over informed on this. And by the way the internet didn't slow to a crawl. You can't or rather shouldn't tell the general public certain things because the lack the fundamentals to understand how to interpret things properly. It results in a massive outflow of resources to answer questions which are not relevant and become sensationalized in the press (because the press are idiots). Put simply this was a critical security flaw. It required immediate action by system administrators to patch it. Thus far the only information I know was stolen was here in Canada; the Canada Revenue Agency servers were exploited by a script kiddie who used the code released a day after the announcement by the black hat community to grab about 900 social insurance numbers because they had not patched it in time (ie SSN's to US folks, Taxpayer ID's to much of the rest of the world). They caught him a day or two later.

Having said that, a lack of transparency in general public information to prevent hysteria is often misused as an excuse to trample on rights (a la the NSA etc) so it is a bit of a dangerous thing to be sure. In this case though the information was transparent, but delivered in a typically sensationalist way by the press.

In other words, I am saying that you have to put the right information into the right people's hands at the right time. Similar risks (like the one with RDP services on Windows and several browser vulnerabilities) have not been so over sensationalized despite risking similar information. Consider your audience has often been my mantra.

It is OK to disagree though about the value of the way the information was disseminated IMO - I guess we all have different views about this kind of thing.