Tech: Learnings from Heartbleed / OpenSSL remedial work

We’ve almost completed the remedial work required, since the vulnerability was made public on Monday night. And now that we have:

Posted on 10 April 2014 - Announcement
Tibus BY Tibus
  1. The SSL issuing houses aren't built for flash crowds. No blame here – they couldn’t be expected to cope. But the revocation process has been the slowest element in the whole chain of work packages.
  2. Our scripts took ages to run fully. Almost 11 hours. These were in python and BASH. If you’re doing your own too, start them as soon as you can.
  3. Many folks thought this was a ‘hosting thing’ initially. We felt that the general IT practitioners needed more persuasion to accept they needed to look at their own ‘internal’ servers too. This took up most of our time – helping folks that don’t work with SSLs on a day to day basis.
  4. Lots of opinion difference on whether we as an industry should recommend full password changes for the billions of Internet users out there. It’s easy to say ‘yes, change’, but the recommendation has to be proportionate to the risk. This is a good guide for laypeople, courtesy of Mashable.
  5. The impact on statically linked OpenSSL libraries was really troublesome.

Though this vulnerability publication absorbed millions of hours of industry time and caused anxiety out there, we felt the response was good. As technology ages, it will inevitably have more attack vectors. That’s okay, that’s life. 

It’s all about how we as a community react I guess.