Was Heartbleed intentional?
Some folks seem to beleive so since the intelligence community was using it since at least November of last year... and beause the bug has been out there since March 14, 2012. Take a look at https://www.owasp.org/index.php/The_Heartbleed_Bug and
Looking at this code we all agree that a simple code review would have found this issue. One rule should be that all code at risk of security breaches must be sent through a validation proof. As a computer scientists, we understand this, but those who claim to be coders and write stuff like this need to be stopped. We need to raise the bar and put in place procedures to prevent these short comings which expose us as a nation.
The folks at http://www.openssl.org cannot be the only ones to blame. Most organizations with established security rarely use Open Source directly. They would have a vendor to work with that knew a bit more than the open source folks normally do. That organization would take the risk on to assure that the code was correct.
I would suggest to look into this bug if you are hosting any websites with your ISP as it is really a bad one. The code line has been out there since March 14, 2012 and just got reported and fixed in OpenSSL 1.0.1g on April 7. Take a close read over https://www.owasp.org/index.php/The_Heartbleed_Bug, then test the sites you are concerned about for the vulnerability at https://filippo.io/Heartbleed/ and
replace your TLS and OpenSSL certificates if necessary.
This is definitely a call for arms to using Perfect Forward Security (PFS). The excuse that I always here is that it would cost more money. Sometimes a bit more money spent would keep us all a bit safer.
We assure you that all of Diassu Software customers are safe from this issue.
2014-04-13 - by John Kruebbe