Akamai Diversity

The Akamai Blog

Recently by Andy Ellis

Andy Ellis

Andy Ellis

October 14, 2014 6:48 PM

SSL is dead, long live TLS

An attack affectionately known as "POODLE" (Padding Oracle On Downgraded Legacy Encryption), should put a stake in the heart of SSL, and move the world forward to TLS. There are two interesting vulnerabilities: POODLE, and the SSL/TLS versioning fallback mechanism. Both of these vulnerabilities are discussed in detail in the initial disclosure. POODLE POODLE is a chosen-plaintext attack similar in effect to BREACH; an adversary who can trigger requests from

Andy Ellis

Andy Ellis

October 1, 2014 3:59 PM

Shellshock Update

The Shellshock vulnerability, originally announced as one critical issue in bash that allowed an adversary to execute arbitrary code, has grown from one vulnerability to six in the last week. For background on Shellshock, we've collected an overview and list of the vulnerabilities; for some history on Akamai's initial responses, read our original blog post. Shellshock raised a lot of questions among our customers, peers, auditors, and prospects. This

Andy Ellis

Andy Ellis

September 24, 2014 10:58 AM

Environment Bashing

[UPDATE: 9/25/2014 11:30AM] Akamai is aware that the fix to CVE-2014-6271 did not completely address the critical vulnerability in the Bourne Again Shell (bash). This deficiency is documented in CVE-2014-7169. The new vulnerability presents an unusually complex threat landscape as it is an industry-wide risk. Akamai systems and internal Akamai control systems have been or are being urgently patched or otherwise mitigated in prioritized order of criticality. Akamai has developed

Andy Ellis

Andy Ellis

June 5, 2014 1:09 PM

OpenSSL vulnerability (CVE-2014-0224)

The OpenSSL Project today disclosed new vulnerabilities in the widely-used OpenSSL library. These are vulnerabilities that can potentially impact OpenSSL clients and servers worldwide. The most interesting is the ChangeCipherSpec Injection, which would enable a man-in-the-middle attack to force weaker ciphers into a communication stream. Akamai SSL services (both Secure Content Delivery and Secure Object Delivery) have been patched for this vulnerability. The other vulnerabilities are relatively uninteresting for our

Andy Ellis

Andy Ellis

May 19, 2014 12:32 PM

The Brittleness of the SSL/TLS Certificate System

Despite the time and inconvenience caused to the industry by Heartbleed, its impact does provide some impetus for examining the underlying certificate hierarchy. (As an historical example, in the wake of CA certificate misissuances, the industry looked at one set of flaws: how any one of the many trusted CAs can issue certificates for any site, even if the owner of that site hasn't requested them to do so; that

Andy Ellis

Andy Ellis

April 16, 2014 1:03 PM

Heartbleed: A History

In the interest of providing an update to the community on Akamai's work to address issues around the Heartbleed vulnerability, we've put together this outline as a brief summary: Akamai, like all users of OpenSSL, was vulnerable to Heartbleed. Akamai disabled TLS heartbeat functionality before the Heartbleed vulnerability was publicly disclosed. In addition, Akamai went on to evaluate whether Akamai's unique secure memory arena may have provided SSL key protection

Andy Ellis

Andy Ellis

April 13, 2014 7:20 PM

Heartbleed Update (v3)

Over the weekend, an independent security researcher contacted Akamai about some defects in the software we use for memory allocation around SSL keys. We discussed Friday how we believed this had provided our SSL keys with protection against Heartbleed and had contributed the code back to the community. The code that we had contributed back was, as we noted, not a full patch, but would be a starting point for

Andy Ellis

Andy Ellis

April 11, 2014 2:30 PM

Heartbleed Update

Update 2014-04-13: Our beliefs in our protection were incorrect; update here. Today, we provided more information to our customers around the research we've done into the Heartbleed vulnerability. As our analysis may inform the research efforts of the industry at large, we are providing it here. Summary: Akamai patched the announced Heartbleed vulnerability prior to its public announcement. We, like all users of OpenSSL, could have exposed passwords or session

Andy Ellis

Andy Ellis

April 8, 2014 11:18 AM

Heartbleed FAQ: Akamai Systems Patched

Update 2014-04-11: Updated information on our later analysis here. We're getting a lot of questions about the OpenSSL Heartbleed fix. What follows are the most commonly asked questions, with our answers. The Heartbleed bug affects a heartbeat functionality within the TLS/DTLS portion of the library. It allows the attacker to -- silently and without raising alarms -- dump portions of the servers memory to the client. This can allow the