Heartbleed OpenSSL Security Hysteria
In the past week we witnessed a hysteria about the rotten Heardbleed OpenSSL bug.
Yes, it's serious. Yes, it's dangerous. And yes, it was there for a few years and you bet some people knew it long enough. You can also bet it'll remain unfixed for a long time because people are lazy or their setup is too complex to fix it fast.
Anyway, why such hysteria? You should know that only very cheap organizations would expose their Apache frontend to the public. Almost any decent company uses a load balancer with SSL offload in front or Web application firewall (WAF).
So cheap organizations with low IT budget are not supposed to carry important traffic. Thus by exploiting this bug you will usually get some worthless info.
On the other hand, if this bug affects a serious organization with sensitive info, I bet this Heartbleed is their least issue. They probably have much worse exploits in their abandoned IT infrastructure. And yes, there are such organizations.
So keep calm and don't worry. NSA(and not only) has already deployed a new fix to compromise your daily security. Not that I imply Heartbleed was implemented on purpose, not of course.
blog comments powered by Disqus