Heartbleed: A Bloody Catastrophe
The internet as we know it is on the verge of collapse! OK, this may be a bit of hyperbole, but according to many internet security analysts, just barely. Anywhere from 20%-40% of internet servers were compromised by the now-infamous Heartbleed bug, an error in the OpenSSL security implementation that protects many of our everyday online activities. Heartbleed is as about as bad as a security hole gets. By exploiting Heartbleed, malicious attackers can very easily gain access to unencrypted usernames, passwords, and other sensitive information.
Like many stories from the tech world, Heartbleed just begs for an apt analogy, so here goes. Heartbleed is tantamount to locking your sensitive documents in a safe, with one caveat: the safe contains a tiny hole that allows thieves to steal bits of your documents, one small piece at a time. After so many attempts, it’s inevitable that the would-be safe crackers would pilfer enough data to cause you a serious headache. Heartbleed allows attackers to read information directly from a server’s memory in small, 64-kilobyte chunks. This process completely bypasses the encryption (lock combination) that has made OpenSSL one of the most trusted standards in modern internet security.
All of this sounds bad, sure, but Heartbleed is considered so serious because it is ostensibly a perfect storm of security nightmares rolled into one. It affects a large number of systems, it’s very easy to exploit, and it is virtually untraceable, to boot. Heartbleed had also gone almost two years under the radar of security experts. Some speculate that the NSA had knowledge of Heartbleed but chose not to alert the masses, a claim that the NSA, of course, vehemently denied. Otherwise, the only people aware of Heartbleed for the past 24 months may have been malicious hackers who were using it.
So how did such a bad bug go undetected for so long? While OpenSSL is a popular standard for server security, it is written and maintained mostly on a voluntary basis. There are 11 members of the OpenSSL team, only one of whom (Stephen Henson) is able to dedicate himself to the project on a full-time basis. Testing a complex system like OpenSSL is no doubt a difficult and tedious task and, unfortunately, a very simple coding error ended up having dire consequences. It is likely that with more time, money, and resources, the bug would have been caught by the OpenSSL team much earlier.
This is not an uncommon situation; there are many other popular projects that rely on volunteer coders and charitable donations for their development and maintenance. Fortunately, Heartbleed has shone a light on the fact that many of these open-source projects are woefully undermanned and underfunded. In order to prevent another Heartbleed-esque fiasco, a consortium of the world’s biggest tech giants (Google, Facebook, Amazon, Intel, etc.) are teaming up with the Linux Foundation to form “The Core Infrastructure Initiative.” This group will provide funding and resources for some of the most integral open-source projects that we all unknowingly rely on, starting with OpenSSL.
In the meantime, OpenSSL has already been patched, but that doesn’t mean that Heartbleed is no longer a threat. Each individual website must apply the patch to their servers, otherwise the hole remains open. As a precaution, it is a good idea to make sure that you have a unique username and password for each site that you visit; this way, if one is compromised, the damage remains limited to one site. You can also check http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/ for an updated list of common sites and their recommendation on how to deal with Heartbleed.