Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Security Programming

Akamai Reissues All SSL Certificates After Admitting Heartbleed Patch Was Faulty 56

Posted by samzenpus
from the try-it-again dept.
SpacemanukBEJY.53u (3309653) writes "It took security researcher Willem Pinckaers all of 15 minutes to spot a flaw in code created by Akamai that the company thought shielded most of its users from one of the pernicious aspects of the Heartbleed flaw in OpenSSL. More than a decade ago, Akamai modified parts of OpenSSL it felt were weak related to key storage. Akamai CTO Andy Ellis wrote last week that the modification protected most customers from having their private SSL stolen despite the Heartbleed bug. But on Sunday Ellis wrote Akamai was wrong after Pinckaers found several flaws in the code. Akamai is now reissuing all SSL certificates and keys to its customers."
This discussion has been archived. No new comments can be posted.

Akamai Reissues All SSL Certificates After Admitting Heartbleed Patch Was Faulty

Comments Filter:
  • by Anonymous Coward on Monday April 14, 2014 @08:10AM (#46746269)

    The fact that they are re-issuing certificates clearly indicates that they were open to Heartbleed. They had tried to add another layer of protections to protect against bugs like this (which is honorable), but found that they were insufficient to protect the certificate. I haven't read up on the details, but it is likely that temporary decryption operations exposed enough information so that the ssl key could be regenerated, even if the ssl key itself was protected. Crypto is difficult, and trying to protect against unknown bugs is even harder.

  • by LordLimecat (1103839) on Monday April 14, 2014 @09:11AM (#46746965)

    IIS is not. It uses schannel, not OpenSSL.

  • by Anonymous Coward on Monday April 14, 2014 @10:04AM (#46747565)

    I can see financial institutions using an open solution for their public facing websites. But, how many actually "run" an operating system that is based on Open Source for their financial transactions?

    Many of them run their online banking websites on java, websphere, IIS and the like.

    And the issue isn't with the operating system, the issue is with an application, OpenSSL, which runs on many different operating systems.

    The good news is, if your bank is FDIC insured, your money is safe - up to the limit of the Insurance

    Completely irrelevant. FDIC insurance protects your money IF your bank goes bankrupt - that's all.

    FDIC insurance does NOT protect you from fraud or identity theft.

1 Billion dollars of budget deficit = 1 Gramm-Rudman

Working...