It has barely been a month since the announcement of the Heartbleed bug, and all seems to have gone fairly quiet. What has happened in the meantime? What’s the cost of the breach? How many people and organizations did it really impact? Are there affected systems still out there today? What went wrong in the first place? What should we do going forward to prevent this from happening again?
So far, the only known or published breach due to Heartbleed is the Canada Revenue Agency. We expect more to appear, but due to the nature of the bug and the fact that exploitation doesn’t leave a trace, we will never know the true impact. What we are starting to see appear are some cost estimates of the damage. As an example, many organizations need to revoke SSL certificates and issue new certificates. Just the traffic alone for delivering certificate revocation lists can mean large bills in the several hundred-thousand dollar range. Add together all the providers that need to revoke certificates together, and the sum could be astronomical. A total figure of $500 million has been floated around. And some think that number is on the low side.