Forgot your password?
typodupeerror
Security

Heartbleed Disclosure Timeline Revealed 62

Posted by samzenpus
from the when-did-you-know dept.
bennyboy64 (1437419) writes "Ever since the Heartbleed flaw in OpenSSL was made public there have been various questions about who knew what and when. The Sydney Morning Herald has done some analysis of public mailing lists and talked to those involved with disclosing the bug to get the bottom of it. The newspaper finds that Google discovered Heartbleed on or before March 21 and notified OpenSSL on April 1. Other key dates include Finnish security testing firm Codenomicon discovering the flaw independently of Google at 23:30 PDT, April 3. SuSE, Debian, FreeBSD and AltLinux all got a heads up from Red Hat about the flaw in the early hours of April 7 — a few hours before it was made public. Ubuntu, Gentoo and Chromium attempted to get a heads up by responding to an email with few details about it but didn't, as the guy at Red Hat sending the disclosure messages out in India went to bed. By the time he woke up, Codenomicon had reported the bug to OpenSSL."
This discussion has been archived. No new comments can be posted.

Heartbleed Disclosure Timeline Revealed

Comments Filter:
  • by Red Herring (47817) on Monday April 14, 2014 @06:18PM (#46751463)

    > Google discovered Heartbleed on or before March 21 and notified OpenSSL on April 1. Other key dates include Finnish security testing firm Codenomicon discovering the flaw independently of Google at 23:30 PDT, April 2.

    Doesn't it seem strange that the flaw has existed for a long, long time (years?) but Codenomicon happens to find it less than a day after Google notified OpenSSL, and, per the article, "some infrastructure providers under embargo"? That just seems... unlikely. Not impossible, but it kind of makes you wonder who is leaking information...

  • Negligence (Score:4, Interesting)

    by Daniel Ellard (799842) on Monday April 14, 2014 @06:24PM (#46751507)
    Why did Google wait ten days before notifying OpenSSL? (even if they didn't trust OpenSSL to handle it responsibly, it couldn't have taken ten days for Google to patch their systems)
  • by Albanach (527650) on Monday April 14, 2014 @06:25PM (#46751519) Homepage

    Not necessarily. It may be that the bug was known to others and that Google and Codenomicon were both monitoring channels used by more nefarious types. Both organizations may have independently 'discovered' the bug after each becoming aware that an exploit existed without having full details of the exploit.

  • Damn sleep... (Score:3, Interesting)

    by Anonymous Coward on Monday April 14, 2014 @06:27PM (#46751545)

    Ubuntu, Gentoo and Chromium attempted to get a heads up by responding to an email with few details about it but didn't, as the guy at Red Hat sending the disclosure messages out in India went to bed.

    I don't know why, but this reminded me of Cyril Evans [wikipedia.org]. Never go to bed.

  • by AdhSeidh (193409) on Monday April 14, 2014 @06:28PM (#46751559)

    perhaps you have already forgotten about CVE-2014-1266 the Apple SSL/TLS bug from Februrary this is why every security group on the planet was looking for other encryption related loopholes

  • by rmdingler (1955220) on Monday April 14, 2014 @06:36PM (#46751607)
    In all likelihood, there was a "discovery" by Google that led to a sharing of information with Codenomicon... someone told an old college buddy or former co-worker.

    There were almost certainly folks who were aware of the vulnerability before Google.

    Were these folks criminals or government employees? And yes, there's a small difference... generally found in the probability for prosecution.

Nothing is impossible for the man who doesn't have to do it himself. -- A.H. Weiler

Working...