As you must be aware, this week there was a lot of buzz around the discovery of a major security vulnerability in Open SSL known as “heartbleed”. Most of the hosting providers, website operators, IaaS, PaaS and SaaS vendors are going though a grippling phase upgrading their servers, websites, and communicating to their users and community. Two-thirds of the Internet’s web servers are compromised. This is possibly the worst vulnerability discovered so far, which leaves no trace of what has been compromised, by whom and since when. Bruce Schneier the security expert, rates this vulnerability at 11 on a scale of 1-10.
We are fortunate enough to watch the action closely and none of our products are affected due to “heartbleed”, as we do not use Open SSL. Our own Load Balancer and Web Server implementations, which are bundled as part of WaveMaker Gateway use Java SSL and this is a life-saver at the moment.
We have built our own HTTPS layer, which is a closed source component using Java SSL libraries. We always believed having a closed-source security implementation, is the first step to provide enterprise-grade security and it really turned out to be true with this SSL vulnerability being unearthed.
What is the vulnerability?
To give a little insight into the security loophole, this is a programmer’s error in the Open SSL implementation combined with the C language’s inherent power of providing access to any unbounded memory data. Websites and hosted software that are vulnerable to this attack, would have their TLS/SSL secret keys, private keys, names and passwords of the users exposed.
Security experts have advocated to use TLS/SSL for encrypting data and secure communications for years, but this is very unfortunate to find SSL vulnerable.
Head of Engineering,