Heartbleed Bug Creates Risk for Businesses and Consumers



On April 8, 2014, several news agencies, including the New York Times and CNN, reported the discovery of a vulnerability in a core security protocol used by an estimated two-thirds of the world’s servers. The vulnerability lies within the OpenSSL encryption technology used for conducting a multitude of internet communications including online transactions previously thought to be secure. Would-be hackers can exploit this flaw to obtain financial information, usernames, passwords, security keys and almost any other data without leaving a trace. Companies and individuals are urged to take steps to both secure their online accounts and assess their exposure to malicious activity. Companies and organizations that use cloud technology or other online services should understand what protections their service providers have put in place and investigate whether additional action is warranted.

The vulnerability, known by the moniker Heartbleed or the Heartbleed bug, was disclosed last week by a Google employee and an independent Finnish company named Codenomicon. According to the researchers, the vulnerability affects the Secure-Socket Layer (SSL) and Transport Layer Security (TLS) protocols, which are part of the OpenSSL 1.0.1 cryptographic technology. OpenSSL is widely used to secure thousands of websites, as well as provide security for mobile devices, virtual private networks and hardware.

While online service providers and tech companies scramble to deliver and apply patches, many systems are still at risk and have been for an estimated two years previously – since March 2012. Google, Amazon, Instagram and many other notable online businesses and app developers have already reportedly taken steps to secure their sites. Since the use of OpenSSL is so widespread, many smaller online companies, who may not have the resources of online giants, are still at risk. Patches need to be applied, compromised certificates need to be replaced, and passwords should be reset. This undertaking and auditing process will be difficult and burdensome. The patching process is likely to be further complicated where hardware is not connected to a network, such as industrial control equipment, which may require a physical connection to the affected equipment to apply the patch.

Once the immediate threat has passed, this event may also provide an opportunity to review security incident response plans as well as vendor relationships for the appropriate contractual protections.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Saul Ewing LLP | Attorney Advertising

Written by:


Saul Ewing LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.