More clarity about the vulnerability of banking and credit card data and other sensitive information such as website logins and passwords came this week, when a Google researcher and a team from the Finnish security firm Codenomicon separately reported the existence of an Internet security flaw that is being called the Heartbleed Bug. What makes Heartbleed so insidious is the fact that it can allow hackers to snatch data from a server’s memory 64 kilobytes at a time—even if the information is supposedly encrypted—without leaving a trace. While the end user takes comfort in the ability of SSL/TLS encryption to keep his or her data from prying eyes, the “https” in the URL and the closed padlock icon are a cruel trick.
Since the news broke, websites have responded, updating their versions of OpenSSL, one of the most commonly used variants of SSL/TLS. These protocols were designed to implement asymmetric cryptography, wherein a unique private key is generated for each communication session in order to encrypt and authenticate the messages exchanged between the parties. But the flaw made data such as these keys and the information they were intended to keep secret far too easy to access. What’s more, the operators of the websites were completely unaware that this was possible.
How big a problem is this? Security expert Bruce Schneier, on his eponymous blog, says that, “…anything in memory—SSL private keys, user keys, anything—is vulnerable. And you have to assume that it is all compromised. All of it.” Not to put too fine a point on it, he added, “‘Catastrophic’ is the right word. On the scale of 1 to 10, this is an 11.”
Is Schneier being sensationalist? Unfortunately, he’s not.
He reported that half a million sites that used OpenSSL—including his own—were vulnerable. That’s the bad news. The worse news is that the vulnerability, which left e-mail, instant messaging, and e-commerce and everything else open to plunder, went undetected since the affected version of OpenSSL was released in March 2012.
A Washington Post article discussing Heartbleed tried to take a glass-is-half-full view of the situation, noting that, “While it’s conceivable that the flaw was never discovered by hackers, it’s nearly impossible to tell.” But if you believe that no cybercrooks exploited this target of opportunity, I’ve got some oceanfront property in a landlocked country that you might be interested in.
At least we know that the flaw wasn't injected as part of a malicious scheme. Robin Seggelmann, the German developer who OpenSSL logs show introduced the bug in December 2011, says it was completely unintentional. Ironically, Seggelmann's task included fixing several existing bugs in the code and adding new features. "In one of the new features," he told the Sydney Morning Herald, "unfortunately, I missed validating a variable containing a length."
The work of closing the barn door well after the horse has left the county is now underway. A patch has been created for OpenSSL and websites that have updated their software are advising their customers to update their passwords as a precaution. But Paul Donfried, CTO at LaserLock Technologies , a firm that sells products for digital authentication and prevention of counterfeiting and identity fraud, says the fix that is sorely needed isn’t a patch.
In response to the Washington Post article, he wrote:
“As most Internet users change all their passwords in response to Heartbleed, and most system administrators patch OpenSSL and install new certificates, perhaps it’s time to ask why anyone is still using passwords for authentication? While strong authentication incorporating biometrics can’t protect a compromised SSL session, it can avoid identity theft, replay attacks, and all the pain and suffering we’re all now going to have to deal with. The availability of strong authentication solutions that incorporate face and voice recognition, and work with users existing equipment, begs the question: Why would websites that truly want to protect their users continue relying on passwords, PINs or any shared secrets? Much stronger, easier to use and more resilient solutions are readily available.”
Donfried's company sells technology designed to accurately identify who is participating in a transaction, which would prevent online security lapses from leading to subsequent misuse of pilfered login credentials. So it stands to reason that he'd be focusing on that. But his main concern was that security problems like Heartbleed don’t erode overall confidence in the Internet.
“As an industry and an Internet community we have a responsibility to make sure that before new security protocols are released, they are thoroughly tested—at a military-grade level,” says Donfried.
He, naturally, is a proponent of biometric authentication combined with out-of-band communication for the authentication process. “Even if the sites where I have my sensitive data aren’t compromised, chances are good that I’ve reused passwords from other sites that have been compromised,” he says. Meanwhile websites are offering only an illusion of security. “Usually the first thing transmitted over an SSL channel is authentication information. It’s unfortunate that a vast majority of sites using OpenSSL were relying on the security protocol to guard that data.”
All this begs two important questions: What other “catastrophic” Internet vulnerabilities remain undiscovered? And how long will login-password authentication model remain the default?
Willie Jones is an associate editor at IEEE Spectrum. In addition to editing and planning daily coverage, he manages several of Spectrum's newsletters and contributes regularly to the monthly Big Picture section that appears in the print edition.