Akamai's Heartbleed patch doesn't actually do anything

Akamai Technologies, whose network handles up to 30 percent of all Internet traffic, said Sunday a researcher found a fault in custom code that the company thought shielded most of its customers from the Heartbleed bug. As a result, Akamai is now reissuing all SSL certificates and security keys used to create encrypted connections between its customer’s websites and visitors to those sites.

Akamai, the network provider that handles nearly one-third of the Internet’s traffic, released a Heartbleed patch to the community on Friday, saying that it would protect against the critical Web threat. Now it appears that’s not the case. Writing on his company’s blog Sunday night, Akamai chief security officer Andy Ellis said that while he had believed the Akamai Heartbleed patch fully fixed the issue, a security researcher discovered it had a bug that caused it to be a partial, not full, patch. “In short: we had a bug,” Ellis wrote. “An RSA key has 6 critical values; our code would only attempt to protect 3 parts of the secret key, but does not protect 3 others.”

Read full article

Comments