Akamai Diversity

The Akamai Blog

Poodle, Shellshock and Heartbleed: Resources

It's been a year of major security vulnerabilities. Last week we worked to mitigate the Poodle vulnerability. Two weeks before that was Shellshock and in April we had Heartbleed. All have shaken the security industry to the core, and Akamai staff have spent countless hours working to protect customers against these threats.

To get a wider perspective of our actions in the face of such incidents, here's a collection of resources -- essentially everything we've had to say about Poodle, Shellshock and Heartbleed.

May you find it useful and insightful.


This issue stems from a design vulnerability in how SSL 3.0 handles block cipher mode padding. The POODLE attack (Padding Oracle On Downgraded Legacy Encryption) shows how the bad guys can exploit the vulnerability to decrypt and pull information from within an encrypted transaction.

Poodle FAQ: What Customers Need to Know
The Poodle attack (CVE-2014-3566) raised many questions from our customers, peers, auditors, and prospects. This post addresses some of the most frequently asked questions, and provides an update on how Akamai is handling its operations during this industry-wide event.

SSL is dead, long live TLS
CSO Andy Ellis' initial blog post on Poodle, and how it will speed the transition from SSL to TLS.

Excerpt: How Poodle Happened
An excerpt from Akamai Security Researcher Daniel Franke's blog post on the POODLE vulnerability. 


"Shellshock" is the industry name for a collection of vulnerabilities in bash (the Bourne Again SHell). It is a common shell for evaluating and executing commands from users and other programs.

A look at two of six security holes summarized last week in six CVE advisories. These were the last two to be published.

Shellshock Update
CSO Andy Ellis' update to customers on the Shellshock situation, published Thursday afternoon.

Environment Bashing
CSO Andy Ellis' first post regarding the threat.

Akamai Launches New Protection for Shellshock-Bash
An update on what Akamai is doing to protect customers from the Shellshock-Bash vulnerability, by Akamai Director of Product Marketing Daniel Shugrue.

Shellshock-Bash CVE List: Where Akamai Fits In
A look at all of the CVE advisories now in circulation, and how they relate to Akamai's mitigation strategies, by Akamai CSO Andy Ellis, Akamai Chief Security Architect Brian Sniffen, and Akamai Senior Program Manager Bill Brenner.

Shellshock Bash Explained
In this podcast, Akamai's Martin McKeay, Michael Smith and Bill Brenner discuss the Shellshock Bash bug and what Akamai is doing to keep customers secure.

Through The Bashdoor
The Shellshock story as told by Akamai's Security Platform Statistics, by Ezra Caltum, Adi Ludmer and Ory Segal

Heartbleed is a bug in the TLS heartbeat implementation where an adversary sends a request to be echoed back; and specifies a length of the response to be echoed.

The Brittleness of the SSL/TLS Certificate System
Despite the time and inconvenience caused to the industry by Heartbleed, its impact does provide some impetus for examining the underlying certificate hierarchy. 

Podcast: CSO Andy Ellis on Heartbleed
My "lessons learned" interview with Andy.

Heartbleed: A History
A history of Heartbleed.

Heartbleed Update 
During the Heartbleed crisis, we gave a series of updates in The Akamai Blog. This was the third such update, which captured all the important points.