You've heard about the Heartbleed bug. It's made you question what you previously believed to be rock-solid and secure: web traffic protected by https or SSL. So what is SSL and why does Heartbleed matter?
A Brief History of Internet Security
Federal legislation through the 1980s and 1990s created new information security requirements for personal health and financial information of consumers. However, it wasn't until a series of online security standards began rolling out in the mid 1990's called a Secure Sockets Layer (SSL), that online data exchanges became truly secure. SSL, and later Transport Layer Security (TLS), remain the main protection of online communications against increasingly pervasive malicious software and automated agents attempting to intercept or steal data, or through spoofing or masquerading attacks.
SSL and TSL are widely-used cryptographic or encryption protocols that protect internet browsing, email, e-faxes, text and instant messages and voice over IP phone calls. In April of 2014, researchers found in the most common implementation of SSL "The Heartbleed Bug."
So what is the Heartbleed Bug?
According to Symantec, one of the leading online security firms, the scope of the so-called Heartbleed bug goes beyond well-known public websites such as Yahoo or Google. It can affect every type of web-based client you use such as browsers, email, FTP and more.
Here's a non-technical explanation of how it works. Think of two people on a first date. The woman asks a man, "So, where did you grow up?" The man answers, "Topeka, Kansas and my Bank of America login is bob.hanson and my password is 1hotdiggity." Not good.
As described by Symantec, Heartbleed can be an "attacking client sending a malicious Heartbeat message to a vulnerable server and the server exposing private data." In other words, Heartbleed cleverly figures out how to send a trojan horse message of sorts, making a request for information, but by batting its eyes and smiling a little the system forgets that the information it holds is private and coughs it up even though it was not requested. Just like in our first date example. Heartbleed can also do the opposite. It can infect a server so it can use "Svengali" powers to make a user client spit up password or other private data held in its cache.
Who found the Heartbleed Bug?
During some routine security tools testing, a team of researchers (Riku, Antti and Matti) of Codenomicon and Neel Mehta of Google Security, found the Heartbleed Bug. The Bug was mistakenly introduced into the OpenSSL encryption library in 2012. The announcement of Heartbleed by these security researchers, and the revelation that it has been “in the wild” for a few years now, might seem odd to those of us who are not data security professionals. However, it’s common practice for researchers to announce the discovery of security weaknesses, even before a “fix” is identified. This bug is considered unique because, through a programming error, it somehow exposed private encryption keys on the Internet. Further, it created a relatively easy vulnerability to exploit that would leave no trace of any breach of private data. Technically, the bug allows “secure” data communications to leak data stored in the memory of servers or clients such as browsers or email clients.
If your systems using OpenSSL have suffered from the Heartbleed bug, recovery involves first patching the vulnerability, then revoking the old and distributing new encryption keys. You might recall that major web-based services recommended changing passwords in April 2014. Users potentially affected by the bug have been instructed to simply clear their browser caches and remove any browser cookies to start over with a clean slate.
Here is a list of well-known sites affected by the Heartbleed Bug:
- Tumblr
- Yahoo
- Gmail
- Yahoo Mail
- GoDaddy
- Intuit Turbo Tax
- Dropbox
- Minecraft
- OkCupid
All of these services have announced updating to the latest version of OpenSSL to mitigate the Heartbleed Bug.
How To Protect Yourself Against Heartbleed
One way is to ask the people managing the systems you access whether they are vulnerable to Heartbleed. Of course this option will take a prohibitive amount of time.
A better method is to use this Symantec tool. Enter the full URL of the site you are concerned about and Symantec will quickly come back with whether it's safe or not.
Below you can see that a Pacific Timesheet evaluation system, with encryption standards similar to those used on our production cloud systems, is "safe from the Heartbleed vulnerability" according to Symantec's tool.
Are Cloud Systems Better?
One take-away of the Heartbleed incident is that all users of systems should be cautious. Another lesson might be that cloud systems should be considered, once again, as a more secure option for important systems like time, work and asset tracking. Cloud systems vendors, running software for which they are the only true experts, often do so on uniform, well-tested and monitored platforms that they control using the strictest security standards. Vendors like Pacific Timesheet, whose business wholly depends upon operating safe systems, can guarantee that their systems will not be compromised by threats like Heartbleed.
Sources:
http://www.heartbleed.com
http://www.symantec.com/connect/blogs/heartbleed-poses-risk-clients-and-internet-things
http://en.wikipedia.org/wiki/Secure_Sockets_Layer