Linked by Thom Holwerda on Tue 8th Apr 2014 22:06 UTC
Privacy, Security, Encryption

Heartbleed, a long-undiscovered bug in cryptographic software called OpenSSL that secures Web communications, may have left roughly two-thirds of the Web vulnerable to eavesdropping for the past two years. Heartbleed isn't your garden-variety vulnerability, so here's a quick guide to what it is, why it's so serious, and what you can do to keep your data safe.


Thread beginning with comment 586753
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[3]: Monoculture is bad
by Lennie on Wed 9th Apr 2014 10:18 UTC in reply to "RE[2]: Monoculture is bad"
Member since:

Let's say that more than 50% of all HTTPS-websites run on nginx or Apache and probably 99% of those use OpenSSL.

I picked lower than 66%, because many have loadbalancers in front and the share for Apache/nginx is lower for HTTPS than in general.

One article pointed to SSL Pulse which says deployment of TLS 1.2 currently stands at about 30%. Older versions of the library don't support TLS 1.2

So it's 30% of 50% is: very, very roughly more than 15% of all HTTPS sites in total were vulnerable.

Obviously it isn't all that simple:

For example in the case of using a loadbalancer actually makes it worse.

They had a loadbalancer which uses OpenSSL which was single process and gave out username/password in HTTP POST-data of people logging in.

Doing everything centralized in a single process in this case turns out to be really bad.

Edited 2014-04-09 10:28 UTC

Reply Parent Score: 3