SAN FRANCISCO (MCT) — The discovery of a significant flaw in software that was supposed to provide extra protection for thousands of websites has thrown the tech world into chaos as experts scrambled to understand the scope of the vulnerability.
Consumers started to receive a trickle of notices from services they use online alerting them to potential issues and recommended steps, such as changing passwords. But given the scope of the issue, security experts projected that it could take years to sew up all the holes created by the Heartbleed bug.
“This is one of the worst security issues we’ve seen in the last decade and will remain within the top 5 for many years to come,” said Adam Ely, founder and chief operating officer of Bluebox Security.
Jeff Forristal, Bluebox chief technical officer: “OpenSSL is extremely pervasive on all manners of devices, systems and servers. It is going to take the ecosystem significant time to get everything updated, and we will be looking at a long tail situation that could easily extend into years.”
Heartbleed is a vulnerability in OpenSSL, a technology used to provide encryption of an estimated 66 percent of all servers on the public Internet. OpenSSL is an open-source code developed and maintained by a community of developers, rather than by a single company.
The vulnerability was discovered separately last week by Neel Mehta, a security researcher at Google Inc., and a team of engineers at Codenomicon, a security website that has since created a site with information about Heartbleed.
On Tuesday, Tumblr, owned by Yahoo Inc., disclosed that it had been hit by Heartbleed and urged users to change not just the password for its site but for all others.
Signaling just how much uncertainty and confusion surrounds the glitch, security experts warned that such a gesture might actually be useless because if a site has not fixed the problem hackers could just as easily steal the new password.
“The scope of this is immense,” said Kevin Bocek, vice president of security strategy and threat intelligence for Venafi, a Salt Lake City cybersecurity company. “And the consequences are still scary. I’ve talked about this like a ‘Mad Max’ moment. It’s a bit of anarchy right now. Because we don’t know right now who has the keys and certificates on the Internet right now.”
But Internet users now face a dilemma: How do they know they can trust a site?
©2014 Los Angeles Times
MCT Information Services