Heartbleed is a web server vulnerability that makes encrypted data passing through websites easily readable. It is particularly scary because it impacts a massive cross-section of the internet, threatens the security of personal data such as passwords and credit card numbers, and, because it leaves behind no evidence that any data was ever compromised, Heartbleed is incredibly stealthy.
When we learned of the issue and its severity, we scanned our clients’ websites as well as our own internal assets. Thankfully, we verified that none of our clients’ websites were vulnerable to Heartbleed. However, we also found that some of our own assets were, so we immediately patched and secured them with fresh certificates.
Make no mistake, the risk is truly extreme. According to computer security expert Bruce Schneier, “‘Catastrophic’ is the right word. On the scale of 1 to 10, this is an 11.” Put quite simply, you should assume every one of the passwords you use online are now public information. Some companies have gone so far as to advise users to stop using their services until the issues are resolved.
This entire process has brought me to a few realizations:
1.) The internet is currently open for looting.
When I learned about the scope and impact of Heartbleed, I immediately started testing our websites using a Heartbleed checker utility. A few moments later, I realized that my behavior at that moment was driven by fear and desperation. I did not know the people that made the checker, and somebody with evil intent could actually have been using it to collect our data for nefarious purposes. I have reasons to believe that this was not the case in this instance, but it occurred to me that, if I wanted to be evil, I would want a list of vulnerable websites. What better way to generate that list than to create a utility that claims to help, but also records the information people enter and sends it back to me? I could start collecting keys and data and, sometime later, start looking for those sites that fall into the trap of patching for Heartbleed but not updating their security certificates, subjecting all their future data transmission to capture as well.
2.) People downplay risk (really, you’d think denial actually helped).
When I asked an outside developer we work with if he had heard about Heartbleed, his response was not one of alarm. It was only later that evening that I received the appropriate “oh shit” response. Furthermore, a web host we use that appeared vulnerable acknowledged the issue when I opened a ticket, but their announcement later was that their system engineers had already upgraded the server, and no action was needed on our part. I wrote back saying thank you for the patch (I was honestly thankful as it’s a self-managed server), but what about the certificates? Don’t they need updating? They were previously generated by a third party, so they couldn’t have updated them without my participation. Well, yes, they responded, that would be recommended. It’s hard for me to think that they were not downplaying the risk, covering their own butts with the actions they could take, and, to some extent, misleading the masses that pay them for hosting.
3.) Mission critical open source projects need funding.
If commercial industry standards are being built on open source software – and they are – then we need a better model to maintain these as enterprise-grade solutions. We have a few sites where we pay annually for SSL certificates because they are necessary for security and I’d certainly be willing to pay a little extra toward maintaining integrity of the protocol or allocate a small percentage of each SSL purchase for this cause. I don’t really have a solution, I am just recognizing the problem for what it is. A donate button is simply not enough.
4.) Personal passwords are broken.
Advising clients to update their personal passwords got me thinking about all the pains surrounding passwords. I think the problem stems from habits formed before the internet. Consider a combination lock with a four-digit code. It is perfect to secure a locker at the YMCA and guards against a couple of evil people that might try to break in; they probably won’t be able to guess the code. Now, imagine that lock is internet-enabled and all of a sudden millions of evil people can try to guess your four digit code. The odds are no longer in favor of the lock. The crappy truth is, if you can remember your password, it’s probably not a good password.
5.) Nothing is really secure.
I have read a little about what the NSA does, so this is no great epiphany, but nothing is secure. Heartbleed was actually discovered in 2012 and was only made public in 2014. Somebody was probably using it in the meantime and paying for the privilege while it was non-public. Here we do our best to follow these issues and reasonable steps against threats, but any true effort to secure data from someone capable and wanting access is likely to be futile and should probably be its own business. What I mean is, if your data security is that valuable, then you should hire computer security experts to do penetration testing and other research needed to ensure it can safely exist in high-security zones.
The post Heartbleed: An “Oh Shit” Moment and Related Realizations appeared first on Strategic Web Marketing — Applied Interactive.