From InfoWorld: Akamai Technologies, whose network handles up to 30 percent of all Internet traffic, said Sunday a researcher found a fault in custom code that the company thought shielded most of its customers from the Heartbleed bug.
As a result, Akamai is now reissuing all SSL (Secure Sockets Layer) certificates and security keys used to create encrypted connections between its customer's websites and visitors to those sites.
"In short, we had a bug," wrote Andy Ellis, Akamai's CTO, in a blog post.
Akamai's customers include some of the world's largest banks, media, and e-commerce retailers. The company, which runs 147,000 servers in 92 countries, is one of thousands of organizations and companies that use the open-source OpenSSL cryptographic library.
Two years ago, a German programmer modified OpenSSL and made a mistake that could cause a Web server to divulge the private key used to create an SSL connection, indicated by a padlock, or other recent data sent to a server, such as usernames and passwords. It is one of the most serious bugs to affect the Internet in recent memory.
Akamai's servers would have been vulnerable to Heartbleed between August 2012 through April 4, Ellis wrote last Friday. During that period, it would have been possible for attackers to intercept passwords or steal other data such as session cookies.
But Ellis also wrote Akamai customers would have been less vulnerable to an attack using Heartbleed to obtain a private SSL key.
The reason is that Akamai had added customized code to its OpenSSL deployment about a decade ago that modified how the secret keys used to create an SSL connection were stored.
View: Article @ Source Site
