Too bad the SSL VPN concentrator from this article didn't apply a HMAC key that an attacker would have needed to know before he'd even been able to initiate a TLS handshake to probe the Heartbleed vulnerability.
They probably had an "appliance" that if they chose to update manually would fall out of support terms and then would be stuck with an unsupported instance of a device they likely paid tens of thousands to the vendor for the appliance, software, and support; and the vendor probably had not yet released a supported update to fix the problem.
It's the problem of bureaucracy again... where policies get in the way of common sense, productivity, and even security. Very little angers me more than not being able to fix something that I know how to fix, and could probably do in a few minutes, because some stupid policy says I'm not "allowed to".
On the other hand, how many overconfident newbies have "fixed" things they weren't "allowed to" and made them significantly worse or broken them altogether?
Speaking as someone that has been that guy, it's important to understand why the policies exist while hating them :)
6 comments
[ 3.3 ms ] story [ 21.6 ms ] threadYou can do this with OpenVPN using the --tls-auth option. See: https://community.openvpn.net/openvpn/wiki/Hardening
Speaking as someone that has been that guy, it's important to understand why the policies exist while hating them :)