Unfortunately, one of the biggest vulnerabilities disclosed this year, Heartbleed, has been inefficiently addressed and for some, already forgotten about. Plenty of details about the vulnerability already exist including our FAQ and releases covering the vulnerability for Trustkeeper, Trustwave WAF and our other products. In this post, however, I will focus on correcting some misconceptions related to Heartbleed.
The reason for this somewhat dated discussion is recent reports showing that approximately half of the services vulnerable to Heartbleed have yet to be patched. Be it negligence, apathy or perhaps miscommunication, such a report shows that a considerable amount of administrators are not taking the responsibility of managing Internet-facing services as seriously as I would like. Below I correct eight misconceptions related to Heartbleed that I suspect may be to blame for the lack of patching and/or identification of the Heartbleed vulnerability.