Voltage Security Comments on ‘Heartbleed’ Bug
While ‘Heartbleed’ presents clear and present risk of exploit and active attack to systems to steal data, the big danger is to systems that have been relying on secure communications for things like key and credential exchange since the first affected version of OpenSSL was deployed. So affected entities need, in particular, to consider the external use of affected versions of OpenSSL in use, and establish what might have been transported and been potentially at risk in past SSL sessions with client systems or other servers. That itself might be very difficult, and requires consideration for changing transported credentials, certificates or monitoring other sensitive data which if exposed could lead to secondary compromises, theft, or further malware infestation.
Security vulnerabilities will always exist, and provide the ideal beachhead for attackers to establish the data-stealing malware infantry front line. In this case, Heartbleed’s significant data theft risk also emphasizes the need to take a different approach to data protection above and beyond SSL. For example, encrypting the data well before it enters and exits the SSL tunnel so that even if the transport is compromised, the data itself has no value to an attacker.
This ‘data-centric’, or end-to-end protection model, can reduce the need for SSL, in some cases, and also protects data well beyond where SSL starts and stops.
And, in those cases where SSL plays a critical and essential role, use transport mechanisms that are unaffected or patched against this particular risk, as soon as possible.
More on this issue here.