[Linux-aus] Post in ZDnet re: Heartbleed

Glen Turner gdt at gdt.id.au
Thu Apr 17 12:49:18 EST 2014


> You're absolutely right, the process followed by the OpenSSL team and the
> various distributions in fixing this has been very well done and is a model
> for how these things should be fixed.

And here we part company. The advice for people with possibly-affected web 
servers should have been to shut that web server down. Then determine if 
the web server was vulnerable. Then patch it and reboot.

Not getting the web server offline immediately simply allowed people to 
pull 64KB blocks from webservers and archive them to disk for future 
analysis.

Instead we've had major websites stay up whilst determining if the 
vulnerability is present. The seriousness of the issue and ease of 
exploitation demanded a more rapid and abrupt response from systems 
administrators.

-glen

-- 
Glen Turner <http://www.gdt.id.au/~gdt/>



More information about the linux-aus mailing list