Akamai Heartbleed patch not a fix after all

[Borg 386]

Akamai, the network provider that handles nearly one-third of the Internet's traffic, released a Heartbleed patch to the community on Friday, saying that it would protect against the critical Web threat. Now it appears that's not the case.

Writing on his company's blog Sunday night, Akamai chief security officer Andy Ellis said that while he had believed the Akamai Heartbleed patch fully fixed the issue, a security researcher discovered it had a bug that caused it to be a partial, not full, patch.

"In short: we had a bug," Ellis wrote. "An RSA key has 6 critical values; our code would only attempt to protect 3 parts of the secret key, but does not protect 3 others."

Akamai is now heading back to the drawing board. Ellis says that his company has already started rotating SSL certificates that are vulnerable to protect its customers. Ellis says that some certificates will rotate quickly, while others will take a bit longer.

CNET has contacted Akamai for additional comment on the security flaw. We will update this story when we have more information.

Akamai Heartbleed patch not a fix after all - CNET