If this code was running on the Akamai networks for years, why did they have a copy laying around that didn't call mprotect?
Given the above problems I wonder how Akamai manages to run this in production.
How could you misread a two paragraph email so badly. Here, let me shorten it up for you:
This patch is a _variant_ of what we've been using to help
protect customer keys for a decade.
This should really be considered more of a proof of
concept than something that you want to put directly into
production. Let me restate that: do not just take this
patch and put it into production without careful review.
So to answer your question: this version was never running in production.. and it the initial patch didn't call mprotect because they stripped it out from their version when creating the POC.
> As a result, we have begin the process of rotating all customer SSL keys/certificates.
AGHHHHHHH! Even if their code was likely to have worked perfectly, this is a huge mistake. And I mean huge. They should've operated under the assumption that their defense didn't work and immediately rotated all keys. Period.
They used their patch for some length of time, release it to the community and a few hours later a bug is spotted and fixed. Peer review is a good thing.
I would be more sympathetic if they'd said "do not take this patch and put it into production, it's almost certainly incomplete and buggy". "without careful review" suggests that they actually expected some possibility of it being complete and correct, at which point having somebody verify that currently it is neither is still really rather useful.
It's more an 'exemplar of concept' or something, really - which is still valuable, but I do wish they'd made that more clear.
Given the above problems I wonder how Akamai manages to run this in production.
How could you misread a two paragraph email so badly. Here, let me shorten it up for you:
So to answer your question: this version was never running in production.. and it the initial patch didn't call mprotect because they stripped it out from their version when creating the POC.