The fallout from the Heartbleed bug likely will be felt for a long time, but the immediate and urgent questions top of mind are which sites and products are affected, and which have been fixed. Then what? The scary reality is that even after a site or product is patched and users have changed their passwords, Heartbleed will not be over.
It is impossible to discern whether nation-states or well-funded cyber-criminals had already known and exploited the flaw for the past two years it's been in circulation in OpenSSL. This bug has also a long tail that spreads to internal networks, applications, and some mobile devices. Digital certificates have been exposed, and what was once a reliable and secure connection, SSL, has been compromised.
"OpenSSL is more than websites: it's server communications, products shipped with black boxes... those are going to take a while to update. Heartbleed is going to have a long-term affect and the industry is going to have to work pretty hard to fix it," says Barrett Lyon, founder & CTO of Defense.Net, a DDoS mitigation firm. "People are getting very diligent and updating things very quickly... But there are always going to be stragglers."
Dan Kaminsky, the security expert who discovered and coordinated the patching of the DNS caching flaw in 2008, says the Heartbleed disclosure represents a whole different ballgame. Kaminsky, who is co-founder and chief scientist at White Ops, says it's traditionally been the case where a bug is found, and the message is now go and fix it.
Read the rest of this article on Dark Reading