New OpenSSL Flaws Aren’t a Heartbleed Repeat
The lessons of Heartbleed have been learned well. The open-source OpenSSL Project disclosed and patched seven security updates on June 5, and the process was markedly different from the activity that led up to the disclosure of the Heartbleed flaw in April.
The Heartbleed flaw, perhaps one of the most widespread security vulnerabilities of the past decade, left hundreds of thousands of users and organizations at risk while fixes were rolled out. The security updates to OpenSSL—a widely used open-source crytographic library for implementing Secure Sockets Layer (SSL) encryption—should be seen in a different light for a variety of reasons.
One of the biggest differences between the new set of flaws and the Heartbleed vulnerability has to do with disclosure. There was a gap in the disclosure process for the Heartbleed flaw that somehow gave preferential access only to Google and CloudFlare, while other organizations struggled to package the patch after the OpenSSL project made its disclosure.