There is light at the end of the Heartbleed Tunnel for the CDN industry. All CDNs have updated their systems and applications, including Akamai, EdgeCast, CloudFlare, Fastly, MaxCDN, Limelight, Incapsual, and so on. CloudFlare probably has the most work to do on the SSL front, since they have the most customers. On the other hand, Akamai is the dominant CDN in the ecommerce vertical, owning the lion’s share of all large ecommerce companies like eBay. Andy Ellis, Akamai’s Chief Security Officer, confirmed with me yesterday that Heartbleed has been disabled. Also, in the future Akamai is going to offer Perfect Forward Secrecy to customers (PFS).
PFS is “the property that ensures that a session key derived from a set of long-term public and private keys will not be compromised if one of the (long-term) private keys is compromised in the future.” The one key takeaway from the CloudFlare “The Heartbleed Challenge”, and Akamai’s challenge by independent security engineer Willem Pinckaers, never underestimate the power of the security engineering community. They approach security related problems from a different mindset, compared to the traditional enterprise. These folks can find vulnerabilities on the fly when others can’t. And when you think about it, these are the skill sets that cyber criminals have at their disposal. Akamai is in Good Shape Now