This whole Heartbleed thing has me seriously wondering what is going on today with our Security and our understanding of Security. It is laughable!
First, if you are trusting OpenSSL, which is an OPEN SOURCE encryption SSL certificate generator, you need to be able to completely understand the source you are using before you implement it, because anyone else out there will be able to understand it too. That’s the down-side of open source, it’s all hanging out there. Go and spend the money for a real trusted certificate.
Second, not only does a website have to be running the exact version of an OpenSSL cert, but the hacker has to be inside the network to be able to ease-drop on the communications that are being relayed. Whether it’s an employee or a Starbucks or Airport WiFi.
So many people got their panties in a pinch when this came out. The news spread like a wildfire and in-effect, revealed IT departments poor decision making in selecting a good SSL Certificate. Also revealed some bad decision making on the part of hiring right people. The thing with Certificates and understaffed IT departments, there is no specialist who understands the full ramifications. It is just funny! Crazy media pot of stew, just climbing up the ranks, stirring unnecessary changing of passwords. Although passwords should always be on rotation.
Here’s to you Canada, congratulations.