Linked by Thom Holwerda on Tue 8th Apr 2014 22:06 UTC
Privacy, Security, Encryption

Heartbleed, a long-undiscovered bug in cryptographic software called OpenSSL that secures Web communications, may have left roughly two-thirds of the Web vulnerable to eavesdropping for the past two years. Heartbleed isn't your garden-variety vulnerability, so here's a quick guide to what it is, why it's so serious, and what you can do to keep your data safe.

Serious.

Thread beginning with comment 586751
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[2]: Monoculture is bad
by bert64 on Wed 9th Apr 2014 10:08 UTC in reply to "RE: Monoculture is bad"
bert64
Member since:
2007-04-23

An even bigger portion of Apache servers don't use SSL at all...
Plenty of non-apache webservers also use openssl...
Lots of people are running old versions which date from before this bug was introduced, and thus were never vulnerable.

This is an issue with openssl rather than apache, and apache itself is quite diverse - many different versions running on many different platforms with many different configurations. It's not ideal but it could be a lot worse.

Reply Parent Score: 4

RE[3]: Monoculture is bad
by Lennie on Wed 9th Apr 2014 10:18 in reply to "RE[2]: Monoculture is bad"
Lennie Member since:
2007-09-22

Let's say that more than 50% of all HTTPS-websites run on nginx or Apache and probably 99% of those use OpenSSL.

I picked lower than 66%, because many have loadbalancers in front and the share for Apache/nginx is lower for HTTPS than in general.

One article pointed to SSL Pulse which says deployment of TLS 1.2 currently stands at about 30%. Older versions of the library don't support TLS 1.2

So it's 30% of 50% is: very, very roughly more than 15% of all HTTPS sites in total were vulnerable.

Obviously it isn't all that simple:

For example in the case of login.yahoo.com using a loadbalancer actually makes it worse.

They had a loadbalancer which uses OpenSSL which was single process and gave out username/password in HTTP POST-data of people logging in.

Doing everything centralized in a single process in this case turns out to be really bad.

Edited 2014-04-09 10:28 UTC

Reply Parent Score: 3