We’re into the third day now of dealing with the massive OpenSSL security flaw known as the Heartbleed bug. We’ve been reporting on the story in posts here and here. Essentially the Heartbleed bug is a flaw in the OpenSSL cryptological library, an open source encryption protocol that as much as two-thirds of the Internet uses to encrypt communication between websites, Apps, services and users. Email, messaging, VPNs, Apps, as well as ordinary websites could be impacted. Estimates are that over 500,000 sites may have been affected and those estimates continue to rise.
What has happened is that for over two years encrypted data stored on servers has been left open to theft along with the encryption keys for that data. If malefactors have taken both the encrypted data and the crypto keys to decode it, then it is as if no encryption protection had been afforded in the first place. Websites and services that do not implement a patch provide a potential threat going forward.
In OpenSSL there is unfortunately no logging of activity that would show a record of malicious activity, and thus many websites and Apps are having to assume they may have had data compromised and are now taking steps to correct this.
For users it means that nothing malicious happened on your device. But encrypted data you may have sent including user names, passwords, credit card info, etc… may have been compromised. Users have been encouraged to avoid sites that may have been affected and we posted a list of things you should do or be prepared to do.
The quick reaction many of us would take in the wake of such news would be to immediately change passwords. But note that one of the recommended steps, while seeming somewhat counter intuitive, is to wait before doing so. Once a website, App, or service notifies you that it has completed a patch and obtained a new certificate then you should change your password.
I received one such notification for the service IFTTT today that read as follows:
A major vulnerability in the technology that powers encryption across much of the internet was discovered this week. Like many other teams, we took immediate action to patch the vulnerability in our infrastructure.
IFTTT is no longer vulnerable.
Though we have no evidence of malicious behavior, we’ve taken the extra precaution of logging you out of IFTTT on the web and mobile. We encourage you to change your password not only on IFTTT, but everywhere, as many of the services you love were affected.
If you have any questions or concerns, please email firstname.lastname@example.org.
Other companies are taking similar precautions by logging users out until they have patched the problem and then notifying users to change their passwords. That process will be replicated over and over again across the Internet. But please be aware that not every site, App, or service you have given info to will take the step to notify you that they have patched the vulnerability. If you are concerned about a site you do business with it certainly makes sense to contact them and request information about how they are dealing with the issue.
With that in mind, other sites and services are publishing tools and methods to allow users to discover problematic sites. In yesterday’s post we listed two such tools. Another example, Qualys SSL Labs, has published a method for testing websites you visit to see if they are secure from Heartbleed or not.
Popular password management company LastPass now has a Heartbleed Bug security scan added to its site scanning software. The scan checks sites you have stored with LastPass to see if new security certificates have been issued, (meaning the site has been patched) and helps you to generate a new password if the site passes.
AgileBits, the makers of another password managing solution 1Password issued a blog post on the issue as well. First it let users know that there 1Password info was safe. Then users are reminded that they will have to change passwords for sites they visit.
In this day and age where security and privacy concerns are heightened by events like the Edward Snowden/NSA saga, some are concerned that this sort of “leaving the door open” security hole was a perfect target for the NSA to use for snooping.
Expect this kind of activity and concern to continue for some time until companies feel that they have remediated the situation, which for many is proving quite costly. Consumers are obviously affected, but thousands of enterprise customers have been affected as well.
More recommended reading on the Heartbleed bug can be located at the following:
- Wired: After ‘Catastrophic’ Security Bug the Internet Needs a Password Reset
- The RackSpace Blog: Protect Your Systems From ‘Heartbleed’ OpenSSL Vulnerability
- Help Net Security: HeartBleed OpenSSL vulnerability: A technical remediation