Is Heartbleed really as bad as all that?

Okay so there is a vulnerability in OpenSSL. And that’s bad. But the extent of alarmist rubbish out there about it is making me bonkers. This Globe piece is not the worst.

But here’s a thought for you. Vulnerabilities are discovered in software all the time. There’s a lot of competition between open source authors and commercial software authors as to which sort has more.

But vulnerabilities are only problems if there is an exploit (a computer program written to make use of the vulnerability for profit, vandalism or other unauthorized access) in the wild before there is a fix. The term we’re looking for is zero day exploit.

Most researchers that look for vulnerabilities let the developers know about the problem before they make their big reveal. That way the fix is out before the crackers, thieves, vandals and script kiddies have a chance to use the vulnerability.

Post-facto note: Thanks to Bob Chandler for pointing out that that’s sort of what happened. People too keen to take credit for the fix publicized the problem before people had had a chance to put out their fix. But I’m still not convinced there is or was an exploit in the wild.

So here’s where the hysteria leaves the path of normal security research sanity. When you see words to the effect of:

ZOMG it’s been around for two years what if people have been downloading my secret data for two years and I’m just about to lose everything. Quick – panic!

Do we actually believe that black hat hackers could keep an exploit of a major package like this secret for two years? Yes there’s secrecy among the black hats, but there’s also competition, ego and bragging rights.

And if there was an exploit that someone developed, tested and successfully deployed to (as is widely contemplated) steal account and credit card information do you really think no one would notice the results?

Enough already.

BTW I’ve patched the two servers I run.