It has been over a month since Heartbleed. Remember that day when we found out that half the private keys on the Internet were each available for the price of just a few TLS heartbeat packets? I thought that in just a few news cycles the press would forget all about this. But no, the Heartbleed drama continues. And that’s a good thing. Bringing visibility to cryptography should mean a more secure Internet in the future.
One of the reasons that Heartbleed is still in the news is because of researchers like Yngve Pettersen. Pettersen recently discovered, during a scan, hundreds of new internet hosts that appeared to be vulnerable to Heartbleed. It was especially confusing, because according to Pettersen, those hosts had previously tested negative. In his blog post of May 7, 2014, he called this set of “newly vulnerable” hosts “Heartbroken servers.” That’s kind of clever.
But the hosts also exhibited a different characteristic that suggested they might be F5 equipment.
Uh oh. Of course the tech press picked it up on a Friday. So it was an interesting weekend for all of us.
We contacted Pettersen and he was kind enough to share his data with us. We double-checked all of the hosts – fortunately none of them appeared to be our devices. We alerted Pettersen with our findings. He re-ran his scan and the new results were sufficiently divergent to make him question the data of the original scan. He updated his blog entry not only removing reference to these “Heartbroken” hosts as F5 devices but also offering an apology to F5 and F5’s customers. We think that was awesome, gracious, and exactly the right thing to do.
The underlying issue in all this is still very much worth investigation - to what extent is the Internet still vulnerable to Heartbleed? It is great that there are researchers like Pettersen who are trying to quantify the overall state of the vulnerability and to keep awareness high. He is to be commended for his efforts.
I would be remiss if I didn’t close on the following point.
Of the hundreds and hundreds of vulnerable servers found by Pettersen, not a single one was an F5 device. That’s pretty amazing, because (and most people don’t know this) a lot of the world’s SSL traffic is terminated at an F5 device. And they are all resistant to Heartbleed.