Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The events of this past week make me wonder how much Heartbleed would have been worth to an entity that buys zero day exploits.


Ask CloudFlare how much they paid.

No, I'm not saying they buy zero day expolits to be evil, but how else did they get 12 days notice?


Because the researchers had the common sense of notifying the biggest targets in advance, I think.


I'll defend the researchers for trying to do a managed notification. But I wonder, did they try to reach out to the major OS vendors to see if they could get them any advance warning? Or ask OpenSSL if OpenSSL knew how to get in touch with people on the down-low?


The problem with distributions is that you, in most cases, don't know who is on the other end of the security@xxx.tld email address.

Being google engineers, they should have direct contacts with Cloudflare and some other high-profile targets.


Obviously they don't just send the exploit directly in mail to a mailing list. Email, ask to talk to someone over the phone, explain the situation to that person, ask for references on prior releases being well-handled.

I want to avoid Monday morning quarterbacking, though. In hindsight the right course of action is always obvious.


If that were the case, AWS would've been on the list.


ITYM "target", and not even "biggest", really. They didn't responsibly disclose to any distributions.


Wouldn't it have made most sense to e-mail the OpenSSL team so they could have pushed a critical patch that everyone would have updated to via APT before shit went off of the hook?


They did, the problem is that the patch immediately shows you the security issue - and distributing a patch means then to disclose the bug.


I'm not 100% on the timeline but I'm pretty sure the OpenSSL team knew about this well before April 7th.


By being a major site that uses SSL. Many such users were notified ahead of time; it's nothing abnormal with responsibly disclosed bugs. As far as I'm aware, no money changed hands whatsoever.


CDNs are part of a group that receives advanced notification because of their reach on the web - they're a valuable attack vector.


What about CloudFront? What about Akamai? What about every other CDN but CloudFlare?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: