Listen, it’s alway good to take life seriously. But keep your baloney detector handy. There might be a problem — dare we say an attempt to terrify you — when the media quotes unknown experts as saying the Heartbleed bug is so catastrophic that on a scale of 10, Heartbleed is an 11. Such a useful point of reference. How about some facts. Lewis Leong, writing in Softonic, says content delivery network CloudFlare released a report which found that there have been no verified reports of the theft of private keys. CloudFlare received early notice of the Heartbleed vulnerability and patched its own servers twelve days ago. It then began testing to see if it was possible to use Heartbleed to exploit its own services. “After extensive testing on our software stack, we have been unable to successfully use Heartbleed on a vulnerable server to retrieve any private key data,” wrote CloudFlare software engineer Nicholas Sullivan. While the company says it could not exploit a vulnerable server, it does not rule out the possibility of an attack. CloudFlare does not “feel comfortable” saying the exploit won’t work but instead says it would be “very hard” to achieve. The company has set up a challenge for security researchers and hackers to exploit a vulnerable page using the Heartbleed bug. Software company Netcraft also followed up its initial report about 66% of the web being vulnerable. Of the 66% of the web using OpenSSL, only 17.5% of those sites actually use the Heartbleed extension. “Not all of these servers are running an HTTPS service, nor are they all running vulnerable versions of OpenSSL with heartbeats enabled,” writes web security tester Paul Mutton.
Shades of Y2K!