A Bug At The Heart Of The Internet

heartbleed

A vulnerability in the Internet’s most common encryption system has compromised personal data:

Some websites running SSL encryption, such as Airbnb, Pinterest, USMagazine.com, NASA, and Creative Commons, among others, were exposed to a major security bug called Heartbleed on Monday. The bug was reportedly discovered by a member of Google’s security team and a software security firm called Codenomicon.

A number of other websites may, according to a list being distributed on GitHub, be vulnerable to the bug as well. … A security patch for the bug was announced on Monday, but many websites are still playing catch up. That’s why websites like the Tor Project are, only somewhat tongue-in-cheek, advising that you stay off the Internet this week if you really care about your security.

Dan Goodin explains why this is such a big deal:

The two-year-old bug is the result of a mundane coding error in OpenSSL, the world’s most popular code library for implementing HTTPS encryption in websites, e-mail servers, and applications. The result of a missing bounds check in the source code, Heartbleed allows attackers to recover large chunks of private computer memory that handle OpenSSL processes. The leak is the digital equivalent of a grab bag that hackers can blindly reach into over and over simply by sending a series of commands to vulnerable servers. The returned contents could include something as banal as a time stamp, or it could return far more valuable assets such as authentication credentials or even the private key at the heart of a website’s entire cryptographic certificate.

Underscoring the urgency of the problem, a conservatively estimated two-thirds of the Internet’s Web servers use OpenSSL to cryptographically prove their legitimacy and to protect passwords and other sensitive data from eavesdropping. Many more e-mail servers and end-user computers rely on OpenSSL to encrypt passwords, e-mail, instant messages, and other sensitive data. OpenSSL developers have released version 1.0.1g that readers should install immediately on any vulnerable machines they maintain. But given the stakes and the time it takes to update millions of servers, the risks remain high.

Matthew Ingram explains what you can do about it:

If you are a web user, the short answer is not much. You can check the list of sites affected on Github, or you could try a tool from developer Filippo Valsorda that checks sites to see if they are still vulnerable (although false positives have been reported), and you should probably change your passwords for those sites if you find any you use regularly.

If you are a network administrator or website manager, then you should already be applying the patch and/or recompiling your version of OpenSSL to remove the vulnerability — and you should also be reissuing your SSL security certificates and getting users to create new passwords. The problem is that doing all of this on every server and for every user and service is going to take some time.

(Image: XKCD)