If you have watched the news or been online since last Monday, you might have heard something about the latest Internet threat to your privacy and online security — the Heartbleed bug.
The Heartbleed bug is a vulnerability in one of the principal tools used to encrypt sensitive information stored on Web servers. Information like usernames, passwords, and financial information like credit card numbers or bank accounts. The tool under attack, OpenSSL, is used by over two-thirds of all Web servers today to protect sensitive information on the Web.
As its name suggests, OpenSSL is an open source implementation of the “Secure Sockets Layer” cryptographic protocol. This “authenticates” the source of information and provides a means for determining whether a communication is from a trustworthy source.
The OpenSSL protocol uses cryptographic “keys” that represent a sort of shared secret between communicating parties. The keys establish who the parties are before the exchange of information begins. They are the basis of the “certificates” we all rely upon to know that we are actually communicating with Google or Facebook or our bank.
Heartbleed takes its name from the OpenSSL “heartbeat extension.” This extension monitors the connection between servers and your computer to determine whether the communication taking place is “live.” It also fulfills the trustworthiness criteria specified in the identification process.
Heartbleed is a glitch in the heartbeat code that allows memory on a device to be read by another device. That memory could potentially contain sensitive information. Since the information is not protected, hackers can read it and harvest information like usernames and passwords.
But that’s not the worst part. It was discovered later in the week that the Heartbleed bug can be used to create fake websites that mimic trusted websites you might use. It thereby could cause unsuspecting Web surfers to disclose sensitive information like user names and passwords as they log into a fake website.
Imagine logging into Google or Facebook. Everything appears as it always does at login, with the site thereafter performing as expected. It’s only later you discover that your privacy and security have been compromised.
The reason this is possible, as discovered by two ethical hackers separately, is that the Heartbleed bug not only allows the interception of user information in memory as noted above, but it also allows a server’s certificates to be copied and, thereafter, applied to mimic sites.
Changing your usernames and passwords could address the main security issues. But it doesn’t address the bigger problem, that being the fundamental breach of trustworthy communications on the Internet.
If the certificates of source aren’t trustworthy, how can anyone know their communications are going where they intend them to go?
Unfortunately, the simplest solution has potentially the gravest of consequences. Especially in our convenience-driven world of Internet communication. All websites on the Internet would need to change the existing certificates with new ones.
This already occurs on a fairly limited basis as website administrators discover their certificates have been compromised. In fact, your Internet browser contains software that checks to make sure the website you’re using has a secure and up-to-date security certificate. If a page’s certificate is on a list of invalidated certificates, your browser will warn you before it connects you to the page.
But currently, the list is very short. And it doesn’t take too much time for your browser to make sure the website you’re trying to access is secure. But imagine that list growing tenfold, or a thousandfold. Millions of entries from every Internet vendor who might have been affected by the bug would have to add their certificates to the list.
The amount of time it takes for your browser to certify the website is secure would skyrocket. And it could drive Internet traffic to a halt.
According to Paul Mutton, a security consultant at the Web services company Netcraft, checking a site’s identity would take vastly longer. “If a certificate authority has to revoke 10,000 certificates, that entry will have 10,000 certificates on it,” Mutton said. “And if browsers have to download that… we’re talking hundreds of megabytes.”
It’s roughly the equivalent of downloading 30 minutes worth of standard-definition video just to view a single Web page.
So what can you do?
If you’re already a subscriber of the Spy Briefing Letter, then you probably already know about LastPass. It’s a service that generates secure passwords and gives you the ability to store them online. And don’t worry, they make it a point not to log your account’s password in their records. So only you have access to your information.
Over the last week, LastPass has taken what appear to be the appropriate steps to protect their users from the Heartbleed bug and the dangers of certificate mimicry on their site. The advice they give is pretty straightforward. Change your usernames and passwords. But more importantly, adopt a strategy to regularly change them.
There will likely be significant fallout from the Heartbleed bug in the weeks to come. Especially as the ramifications of the security breach become more apparent and understood. And of course, you still have to worry about the hacker community, which is always trying to find ways to exploit and compromise the “fixes” that are put in place.
We’ll keep an eye on things and keep you up-to-date. Stay tuned.
Sincerely,
Mike Leahy
