What to do with your OpenSSL system: Secure it or replace it?
Bad memories persist for the Secure Sockets Layer (SSL) exploit called Heartbleed, a vulnerability in the OpenSSL software used to extract information from your network.
With so much of the Internet utilizing OpenSSL, the announcement of the Heartbleed exploit sent shock waves. So now that some time has passed and the media frenzy has died down, somehow, the question still remains: what should you do with your OpenSSL system?
Option 2: Seek OpenSSL alternatives
But should you start thinking about alternatives? Think about the number of products that have built-in Web servers with remote management options. The list is seemingly endless. And herein lies the issue — each of these products has chosen some kind of SSL implementation to allow for secured browser management access. Unfortunately, these particular SSL implementations are usually not able to be changed by the user or IT department purchasing the product. Thankfully, many of them have been built on a variety of different SSL implementations.
Infoworld has reviewed four different tools³, including options from Mozilla, GnuTLS, Polar SSL and Matrix SSL. Check out their review and see if one of these tools will work for your situation, or may already be part of your current infrastructure. For example, many Linux-based products make use of the Mozilla SSL software, which didn’t have the particular vulnerability found in OpenSSL.
Considering the revelations and issues that have come to light since Heartbleed, these alternatives to OpenSSL currently seem the safer option.
- ¹ Larry Seltzer, "OpenSSL fixes another severe vulnerability", ZDnet.com, 06 Jun 2014. Accessed 07 Nov 2016.
- ² Tenable.com. "Heartbleed: Tenable Network Products Provide Strategic Solutions" , Accessed 18 Nov 2016.
- ³ Serdar Yegulalp, "After Heartbleed: 4 OpenSSL alternatives that work", InfoWorld, 11 April 2014. Accessed 07 Nov 2016.