I mentioned a couple items in the Security Monitoring webinar today:
- The Heartbleed bug arose from a reasonable-sounding feature request. The client could send periodic “heart beat” requests to the server to see if the connection is still alive. But it was implemented very badly, leading to the Heartbleed bug.
How bad was it? Bruce Schneier’s blog leads with this sentence, “Heartbleed is a catastrophic bug in OpenSSL.” Read the remainder at Schneier on Security: Heartbleed The official Heartbleed site also gives good information.
The best explanation for non-techies of the Heartbleed bug comes (as always) from XCKD
Please contact me if you would be interested in a version of the “Check SSL Certificate” probe that can run on Windows. I will collect these requests to judge the interest in the probe.
Thanks to all who attended!