Heartbleed’s ripping trust apart, but CERT-UK remains silent
Tim was recently interviewed by SC Magazine as to his views on the Heartbleed issue.
The newly formed CERT-UK seems to be doing very little to protect small businesses, and vulnerability researchers have favoured the bigger firms with plenty of advance warning. Vulnerabilities of this nature cripple e-commerce, and with the UK supposedly leading the world in e-commerce and digital business, this paints a poor picture of CERT-UK’s reactive and almost plagiaristic response.
The public need firm ACTION and not comments like “(CVE-2014-1060 also known as the ‘Heartbleed Bug’) affecting versions 1.0.1-1.0.1f of the OpenSSL cryptographic library, please upgrade to 1.0.1g as soon as possible”, as I’m sure less than 0.1% of business users that rely on e-commerce actually understand what this means, or are even aware that they may be using OpenSSL.
I’m pretty shocked to find researchers releasing this exploit into the wild, with an almost “we’re cool, we found it first” attitude. Heartbleed will affect people’s lives, people’s businesses and the Mumsnet incident is just the tip of the iceberg as the black hat community do as much land-grabbing as possible whilst the coast is clear.
I’d argue that critical vulnerabilities should be contained and remediation carried out before pulling the pin out of the grenade and throwing it over the fence. Is it really in the public interests and realms of responsible disclosure to put half a million websites at risks by publishing this? It’s a big problem – the open source community cannot fix this alone, OpenSSL is ubiquitous in any HTTPS *nix environment and I urge the government to classify this as a cyber security incident of national importance and plan a rapid, co-ordinated response before it gets out of hand.