Heartbleed: Marketing, Or Responsible Disclosure?
When the Heartbleed OpenSSL flaw became a media circus. administrators felt left out of the loop, says Sean Michael Kerner
The Heartbleed encryption vulnerability affects hundreds of millions of people. But even while the OpenSSL flaw was given a brand and packaged up for the media, administrators and service providers suffered because the disclosure process was botched.
The Heartbleed flaw is found within OpenSSL, an open-source cryptographic library used for the Secure Sockets Layer (SSL), which is widely deployed on Linux servers and Internet infrastructure around the world to encrypt and secure web traffic.
It is a critical security issue, which was packaged and branded from day one, while a broken disclosure process only served to add further fuel and anxiety to the security risk epxerienced by administrators.
From Heartbeat to the Heartbleed brand
On 7 April, the original OpenSSL advisory was first issued, which did not refer to the flaw as “Heartbleed,” but rather as a “Heartbeat” flaw in OpenSSL. Heartbeat refers to a monitoring function provided within OpenSSL.
The name Heartbleed, as well as the well-designed logo that has been reused in countless media reports, is the creation of security research firm Codenomicon. Along with Google security researchers, Codenomicon is taking credit for the initial discovery of the Heartbleed flaw.
The Heartbleed icon was created in-house by a Codenomicon designer, the firm’s chief marketing officer Hope Frank told eWEEK. Codenomicon also registered the domain heartbleed.com on April 5, which has served as a key resource to disseminate information about the security issue.
“Our intent was never to market, [but] rather to inform, educate and advise,” Frank said. “This is why we decided to post our internal Heartbleed content and created the website. The domain happened to be available. ”
Codenomicon wanted to use its findings to educate those who required the information quickly Frank said, adding that the information was posted after OpenSSL.org discovered the flaw.
What happened to the disclosure process?
The whole disclosure process behind the Heartbleed flaw is also the subject of much scrutiny and interest. Typically, in an open-source security disclosure scenario, there is some form of nondisclosure agreement (NDA) based information that is released on a closed vendor security community list. The general idea is that by working together, multiple vendors and services can all have patches ready to go when a public advisory is made.
That didn’t happen with Heartbleed.
Google and cloud security vendor CloudFlare were among a very small group that somehow got early access to the flaw and were able to be patched on 7 April prior to the public advisory from OpenSSL.
CloudFlare CEO Matthew Prince told eWEEK that his firm was in fact notified early last week by researchers involved in discovering the bug.
Other vendors and Web services, including cloud vendors, however, did not apparently get the same message. Cloud services vendor DigitalOcean is among those that was left scrambling to patch servers.
“In what we would consider to be one of the worst vulnerabilities that has been discovered in the modern Internet, I felt like the way the whole disclosure was handled was absolutely atrocious,” John Edgar, chief technology evangelist at DigitalOcean, told eWEEK.
Although it’s difficult to deal with sensitive security disclosures, more effort and broader dissemination could have been made to include and protect Internet services, Edgar said.
“From my perspective, it really feels like this Finnish security firm [Codenomicon] played Heartbleed as a marketing and PR play in the name of security,” Edgar said. “That’s a shame and will likely encourage other people to do the same.”
You can’t put the whole Internet on an NDA
Codenomicon has a different opinion on how the disclosure process was handled. Ari Takanen, chief research officer at Codenomicon, told eWEEK that his team found the Heartbleed bug while improving the SafeGuard feature in Codenomicon’s Defensics security testing tools. The SafeGuard feature of the Codenomicon’s Defensics security test tools automatically tests a target system for weaknesses that compromise integrity, privacy or safety, he said.
Once Codenomicon discovered the Heartbleed bug, it was reported to the National Cyber Security Centre in Finland (NCSC-FI) for vulnerability coordination and reporting to the OpenSSL team.
“Within hours of discovery, we contacted NCSC-FI to handle the vulnerability coordination,” Takanen said. “We wrote a Q&A to support the vulnerability coordination when reaching out to the vendors and service providers; much faster than expected, others went public with the bug, and we felt that the Q&A could help the public as well.”
DigitalOcean’s Edgar noted that he understands it’s not possible to get the whole Internet under an NDA to inform all parties in advance about security issues. However, Edgar said he felt really bad for all the server administrators at vendors and service providers, including his competitor Amazon AWS, that had to rapidly scramble to address the Heartbleed issue.
“I feel bad for everyone that had to scramble to [make fixes] after the advisory went out, and that’s the point, we shouldn’t be left scrambling in situations like this; it was unfair and really poorly handled,” Edgar said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
Read our advice on dealing with the Heartbleed issue
Are you a security pro? Try our quiz!
Originally published on eWeek.