April 10, 2014

We are not bleeding from the "heartbleed"!

As you must be aware, this week there was a lot of buzz around the discovery of a major security vulnerability in Open SSL known as “heartbleed”. Most of the hosting providers, website operators, IaaS, PaaS, and SaaS vendors are going through a grippling phase upgrading their servers, websites, and communicating to their users and community. Two-thirds of the Internet’s web servers are compromised.  This is possibly the worst vulnerability discovered so far, which leaves no trace of what has been compromised, by whom, and since when. Bruce Schneier the security expert, rates this vulnerability at 11 on a scale of 1-10.

We are fortunate enough to watch the action closely and none of our products are affected due to “heartbleed”, as we do not use Open SSL. Our own Load Balancer and Web Server implementations, which are bundled as part of WaveMaker Gateway use Java SSL and this is a life-saver at the moment.

We have built our own HTTPS layer, which is a closed source component using Java SSL libraries. We always believed having a closed-source security implementation, is the first step to provide enterprise-grade security and it really turned out to be true with this SSL vulnerability being unearthed.

What is vulnerability?
To give a little insight into the security loophole, this is a programmer’s error in the Open SSL implementation combined with the C language’s inherent power of providing access to any unbounded memory data. Websites and hosted software that is vulnerable to this attack would have their TLS/SSL secret keys, private keys, names, and passwords of the users exposed.

Security experts have advocated using TLS/SSL for encrypting data and secure communications for years, but this is very unfortunate to find SSL vulnerable.

Deepak Anupalli,
Head of Engineering,
WaveMaker, Inc.