Why Heartbleed is good for the Internet
When news of the Heartbleed bug hit the Internet earlier this week, the first thing that happened was, the system administrators of virtually every website on the planet promptly freaked out—and rightly so. Shortly thereafter, millions of individual Internet users, at least the ones who grasped the severity of having their identities stolen, also promptly freaked out—also rightly so. The discovery of such a massively widespread vulnerably like Heartbleed, a hole in the security system used by up to two-thirds of the Web, could easily be called catastrophic without a drop of hyperbole.
Heartbleed is the worst thing to happen to the Internet in a decade. That’s not click-bate, pandering, or an over-simplification. That’s the truth.
Taking the long view, however, it’s possible to see Heartbleed as the beginning of a better era for Internet. By giving the Internet community as a whole a reason to examine how information is securely passed from Point A to Point B, the end result will likely be a new status quo where our critical data is safer from hackers looking to make a quick buck to the prying virtual eyes of government snoop.
First discovered by a researcher at Google and Web security firm Codenomicon, Heartbleed is a bug stemming from about ten lines of malformed code in a piece of software called OpenSSL. Originally designed in the 1990s, OpenSLL is a free, open-source set of encryption tools currently used by hundreds of thousands of websites to make information entered by users indecipherable by potential outside observers.
Since cryptography is mind-bogglingly complicated, developing proprietary encryption software for a single site or Internet company is often prohibitively expensive. As a result, adoption of OpenSLL was a simple, cheap way for sites to secure their data.
But there was--is--a problem. Heartbleed allows an attacker to connect to a server running a vulnerable version of OpenSSL and collect 64kb of unencrypted data. Now, 64kb isn’t a large amount of information, but it’s more than enough to grab someone’s password. Under the right set of conditions, hackers could learn the entire private encryption key used to scramble all the data on a given website. If an attacker learns a site’s private key, it’s pretty much game over. Not only is all of the supposedly secure information users send to a site vulnerable, but it’s possible for them to create a fake version of the site and steal all of the information people enter, from private messages to credit card numbers.
Worst of all, the code responsible for Heartbleed was added to OpenSLL in March of 2012, and successful attacks conducted taking advantage of the vulnerability are essentially undetectable. Hackers may have been sneaking through Heartbleed-sized arteries for nearly two years and there’s no way to go back and check what information was stolen.
While it’s impossible to tell how much damage was done using Heartbleed before news of the bug became public knowledge this month, now that everyone is aware of it, it’s virtually guaranteed that hackers are currently using Heartbleed on a grand scale.
A study conducted by a pair of Swiss researchers on something called “transaction malleability” (a similarly problematic bug in the implementation of the Bitcoin protocol that purportedly resulted in the theft of hundreds of millions of dollars worth of virtual currency) discovered a massive spike in attacks using the exploit immediately following widespread news reports about its existence—this, even though the malleability issue had been brought on relatively obscure online forms years prior.
It may be difficult to determine precisely how many people took advantage of holes like Heartbleed or transaction malleability before they were public knowledge, but copycats are inevitable. In fact, some readers of tech news site Ars Technica reported discovering that their accounts on the site were compromised in the hours immediately following the initial revelation of the bug.
As a result of the Heartbleed flaw, major websites immediately rushed to fix the vulnerability by updating to a patched version of OpenSSL and acquire new private encryption keys just in case their old ones were compromised. This wave of new private keys being created across the Internet is great for online security.
Heartbleed isn’t the only way attackers could have theoretically learned the contents of a website’s private key. And by switching to new a new set of keys, any site whose encryption had been secretly compromised has now just been forced to close up a hole in their security they might not have even known existed.
There has, of course, been speculation that the NSA could have known about Heartbleed for year and used the bug for its intelligence gathering activities.
Chet Wisniewski, a senior advisor at online security firm Sophos, told Buzzfeed that he pegged the odds of the government spy agency already knowing about Heartbleed at about 50 percent.
‟If they did know about it, they would not have told anyone or sent a patch out or secretly sent a note to say, ‘Hey look at this line of code,’” Wisniewski explained. ‟When they find this stuff they hold onto it as long as humanly possible because it gives them unfettered access to information.”
Wisniewski added that the agency likely employs teams of computer scientists who pour over the publicly available code for open-source cryptography projects like OpenSLL just to discover vulnerabilities like Heartbleed.
Whether the NSA exploited Heartbleed or not, internal documents released by whistleblower Edward Snowden revealed that the agency had been able to break most of the encryption methods currently in wide use, meaning it’s likely that many of the private SSL keys were already known to the government. The good news for privacy is, switching them out for new ones would make the NSA’s job considerably more difficult. To regain its ostensible advantage, the agency would have go re-crack the security of hundreds of thousands of sites across the Web.
Another benefit: The mess caused by Heartbleed has led many to think about taking proactive measures to prevent this sort of thing from happening again. One method that’s started to gain a bit of traction is called Perfect Forward Secrecy.
Perfect Forward Secrecy basically means that, instead of using a single private key for everything all the time, a website or Internet service constantly switches out old keys for new ones. If one private key is compromised--through Heartbleed or any other vulnerability--that key couldn’t be used to decrypt past or future communications on the site because most information would be encrypted using an uncompromised key.
Unfortunately, implementation of Perfect Forward Secrecy remains relatively uncommon. It does, however, have two prominent supporters. Google has employed Perfect Forward Secrecy on many of its products since 2011. And Facebook announced it would do the same last year. Outside of Google and Facebook, however, the practice isn’t particularly widespread.
To be clear, if Perfect Forward Secrecy was in place across much of the Internet while Heartbleed was out there, potential damage from the bug would still have been severe—but it could have been significantly reduced.
Website administrators aren’t the only ones who have been urged to take steps to protect themselves from Heartbleed. Individual Internet users have been called upon to change their passwords en masse. People have been cautioned to wait a few days to make the change to ensure that sites have immunized themselves against Heartbleed attacks. Entering a new password into a still-vulnerable site leaves the new password just as exposed as the old one.
Even so, getting people to change their passwords and spend a few moments thinking about password security is, unquestionably, a good thing. People’s passwords gets compromised all the time, so regular password swaps are generally advisable.
When someone has to go out and change their passwords due to a security breach, they might decide against using a particularly easy to crack password. As a list of the most commonly used passwords of 2013 reveals, people are terrible at picking passwords. The passwords at the top of last year’s list were ‟123456” and ‟password,” which is pretty embarrassing for everyone involved because even the simplest password-guess program could crack these in a matter of seconds.
Strong passwords use random, or at least seemingly random, collections of numbers, letters (both upper and lower case), and symbols. Strong passwords also aren’t used across multiple sites. If the Heartbleed debacle causes more people to strengthen their password regimens, security across the Internet is inevitably going to improve.
The Heartbleed bug also turned a significant amount of newfound attention to just how OpenSSL was created and maintained in the first place. Even though OpenSLL is in widespread use across the Internet, and a key element of the security of numerous multi-billion dollar corporations, the team behind the software was shockingly small—with just a single full-time employee working on the project along side a small handful of contributors from around the world.
“When you consider how complicated and significant a piece of software it is, and how critical a piece of infrastructure it is, it is kind of mind-boggling,” Steve Marquess, president of the OpenSSL Software Foundation, told the Washington Post. “It’s such a thin thread.”
Ben Laurie, one of the programmers who works on the software, insisted that Heartbleed could theoretically have been discovered months earlier if the group had been able to raise more money for an audit of the software it had planned.
“There are a lot of companies making big bucks that use this in their core products,” Laurie told the Huffington Post. “They should be making contributions, but their position is, ‘We found this nice thing you’re giving away for nothing. That's kind of you, but we're not going to help you.'"
The Foundation, which is run as a for-profit organization, was only able to earn $1 million for all of last year, with only about $2,000 coming in the form of donations.
Matthew Green, a cryptographer and research professor at Johns Hopkins University, offered the optimistic prediction that, “maybe in the midst of patching their servers, some of the big companies that use OpenSSL will think of tossing them some real no-strings-attached funding so they can keep doing their job.”
If nothing else, Heartbleed may lead to a rethinking of precisely what it means that so much of the most important programs on the Internet are created and upgraded by disparate networks of often underfunded--and, in many cases, volunteer-backed--programmers.
Viewed from the right angle, the discovery of Heartbleed triggered a collective--and productive--panic among not just the type of people who typically devote a significant amount of mental energy to online security, but also a larger subset of the general population who couldn’t tell an encryption key from one of the one that unlocks their car. Heartbleed provides both groups with the opportunity to think long and hard about how to keep information safe online and maybe even challenge certain precepts currently held as axiomatic.
Yes, the possibility of overreaction creating potentially negative consequences is certainly present. Just as how the 9/11 attacks triggered a dangerous expansion of the surveillance state, Heartbleed could put an end to the vibrant ecosystem of open-source developers making some of the most important pieces of software in history. That would be extremely unfortunate. If, however, the online community reacts rationally and intelligently, Heartbleed could push the Internet into a much safer place than it was before.