Since Akami handles almost 1/3 of the Internet’s traffic so their patch that didn’t patch so much is a big deal.
Akami’s patch was supposed to have handled the problem. Turns out it protects only three of six critical encryption values.
Writing on his company’s blog Sunday night, Akamai chief security officer Andy Ellis said that while he had believed the Akamai Heartbleed patch fully fixed the issue, a security researcher discovered it had a bug that caused it to be a partial, not full, patch.
“In short: we had a bug,” Ellis wrote.”An RSA key has 6 critical values; our code would only attempt to protect 3 parts of the secret key, but does not protect 3 others.”
The Heartbleed bug has become one of the worst Web security issues in recent history. Two years ago, a modification was made to OpenSSL, an encryption technology designed to ensure safe harbor for sensitive data traveling around the Web, that left it vulnerable to malicious hackers. By exploiting the bug, hackers could sidestep the encryption and access everything from usernames and passwords to session cookies.
“As a courtesy to us, we were notified shortly before public disclosure, which gave us enough time to patch our systems,” Ellis wrote.”We were asked not to publicly disclose the vulnerability, as doing so would have shortened the window of opportunity for others to fix their systems.Once we were notified, our incident management process governed patching, testing, and deploying the fix to our network safely.”
All of that came unraveled over the weekend when security researcher Willem Pinckaers wrote his own blog post, saying that the OpenSSL fix Akamai put in place and subsequently released to the public didn’t fix the problem.
“This patch does not, on its own, protect against private key disclosure through Heartbleed,” Pinckaers wrote to Akamai customers. “This means your certificates on Akamai servers need to be rotated, and anything sent before then is vulnerable to Heartbleed compromise. If you send customer passwords to Akamai, you should ask your customers to change their passwords again. They’ll enjoy that.”