Once upon a time, Niels Bakker <niels=nanog@bakker.net> said:
but here's the same news from a much more credible source:
Actually, that's the same news _from the same source_ as originally posted. That article also has other wonderful bits like: The Heartbleed flaw, introduced in early 2012 in a minor adjustment to the OpenSSL protocol, highlights one of the failings of open source software development. While many Internet companies rely on the free code, its integrity depends on a small number of underfunded researchers who devote their energies to the projects. This is fairly typical big-business denigration of Open Source, ignoring the fact that (a) closed source software doesn't get reviewed for things like this, and (b) code like this isn't just written by "underfunded researchers". Red Hat (a billion-dollar company) got their package of OpenSSL through FIPS certification. Even the opening of the article: The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, The flaw has only existed for two years and a couple of weeks (and how many websites deployed a brand-new OpenSSL the day it came out?). So unless the patch was authored by the NSA (which the patch author claims is not the case), they'd have to have known about it before it existed. I don't even fully buy the "two-thirds of the world's websites". I'm not sure that 2/3 of the websites I visit even use SSL. Also, many versions of "enterprise" OSes like Red Hat Enterprise Linux weren't affected (RHEL 5 was not affected, and RHEL 6 was only affected starting with 6.5 from last November). There are a lot of web servers that aren't updated that often (or stay with more "stable" release trains). -- Chris Adams <cma@cmadams.net>