To try to understand why Heartbleed is such an issue I will need to briefly explain why Open SSL is for some websites and lots of other systems and services a key security component. The Secure Socket Layer (SSL) and Transport Layer Security (TLS) is the most widely deployed security protocol used today. It is a means of providing a secure channel between two machines operating over the Internet or an internal network and thus obscuring the messages that flow between them across the network or Internet from eavesdroppers.
Because lots of things, Browsers, Servers, Network devices etc. need to use a method of obscuring login credentials and other information while in transit it is desirable for reasons of scale and usability that for widely used processes common solutions are adopted and as Open SSL is freely available it has been adopted and refined by manufacturers and software developers the world over.
As a result of a coding error in an update to Open SSL in 2011 it became possible to trick the system into revealing data that should have been hidden and so a key system that is there to protect our data could actually be exploited and used to eves drop on us to gain access to data such as login credentials and encryption keys.
We have for a long time taken for granted that when we see the https:\\ at the front of an address that we have moved in to a more secure environment. Post Heartbleed that is not necessarily the case and in some cases should make us more wary.
Of course not all websites that use SSL are at risk we should point out here that only the ones using Open SSL 1.0.1 through 1.0.1f (inclusive) are vulnerable. While as individuals how do we tell if the site we are currently using is affected?. To give you an idea of the scope of the problem it is estimated that it affects two thirds of the world’s websites. As you would expect there has been an almighty scramble to identify and secure sites deemed to be at risk and with a reported 60% take-up progress would appear to have been made, the sobering fact is that of the remaining 40% we don’t know how many will eventually be secured but we must accept that there will be a proportion that will be left over. Added to this another sobering fact if you weren’t sober enough already is that it is alleged that a proportion of the fixes for Heartbleed are being badly or improperly implemented which could result in the problem being exacerbated.
In addition the certificates used to confirm the authenticity of websites were also compromised as they rely on SSL for the security of private keys used in encryption that must be kept hidden, but the Heartbleed flaw allows an attacker to steal them by pummelling a server with carefully crafted requests.
While the Heartbleed fallout undoubtedly affects all of us as individuals, Heartbleed is a problem that must be sorted out by the various industries involved. As individuals all we can take extra care about our Internet Activities.
Of course companies should be looking at their own websites and network infrastructure to see where these issues might apply to them. It is likely that it will take years for the whole mess to be cleared up and it may be that it is the beginning of the end for SSL as we know it.
As an industry we need to take heed, learn our lesson and be vigilant as to where the next Open SSL is likely to arise.
Gary Johnston has produced an article Heartbleed – How SSL was crippled in a Heartbeat – summing up the events that led to Heartbleed and the story so far
Tamite IT provide Security courses and seminars designed to inform businesses about the security issues and implications arising from them.
Speak Your Mind