While there is a fixed OpenSSL version that websites can download, it can take time to roll out the new program across a website's entire infrastructure. Budd notes that companies will have to weigh the risk of an attack against the potential that the entire website might come crashing down if a new coding error is introduced. That might dissuade companies from acting quickly. Additionally, after a website installs the new "fix," it needs to update its SSL certificate, a process that can take a little time. Jeremy Gillula, staff technologist at the Electronic Frontier Foundation, notes that even if a website has downloaded the fix, if it hasn't updated its certificates, it "could still be subject to a man-in-the-middle-attack on its users."
Wednesday, April 9, 2014