Tuesday, April 15, 2014

Heartbleed bug aftershocks could slow down Internet as many sites have to revoke their security certificates all at once

Brian Fung, Washington Post technology blogger titles an article (on The Switch Blog) online quite bluntly “Heartbleed is about to get worse, and it will slow the Internet to a crawl,”  link here.  The front page print version Tuesday morning (April 15) is a little more reserved, “Heartbleed bug’s fixes threaten to disrupt Web; Newly revealed vulnerability forces sites to take action that could slow down Internet”.  Indeed, the whole encryption infrastructure has a case of Ebola virus.

The basic problem is that many sites, especially smaller businesses, will have to revoke the security certificates and install new ones.  Browsers will have to download long lists of revoked certificates to check because of a flood of cancellations in a short time.  The problem may be worse for mobile users, especially Android, than for desktop and more powerful laptop users with high speed connections.  Bandwidth capacity of some providers could be challenged, although telecommunications companies like Comcast and Verizon will probably be expecting the surge.

There would be a question as to whether browsers could make changes to make the search through long lists of previously encountered revocations more efficient.

Here’s how you can check certificate status:

As of the middle of the day Tuesday, I haven’t noticed much effect yet on website speed, although I have to order some tickets online soon.  I did watch a long YouTube video yesterday with no effect. 
It appears that the big companies like Google and Facebook have done all their fixes.  As I noted yesterday, Wordpress seems to have some issues that may be related.  I’ve personally handled these fixes without difficulty.  Banks, by and large, weren’t using this facility.  The biggest users might be sites that sell tickets and travel.  They could have a hard time getting reprogramming done properly.
One idea that I think smaller sites must consider is separating content from commerce, and using more than one domain.  Although I know that Electronic Frontier Foundation has recommended that people use https everywhere, I don’t think that is necessary for ordinary news browsing in western countries.  No, I don’t see the NSA as an issue here, but I would be concerned overseas in places like Russia and China. 
It used to be common for book authors to set up sites offering some free content and then their own e-commerce to sell books.  Now, I simply outsource all my own credit card stuff to Amazon, Barnes and Noble, iUniverse and XLibris so I don’t have to offer secured encrypted access at all (although foreign visitors might have an issue – and my analytics show a lot of traffic from non-democratic countries, despite all the filters and censorship). 
In the meantime, the public is paying more attention to the way the world’s security infrastructure is maintained, often by amateurs and volunteers, sometimes in remote areas.  The Washington Post is now wisely writing that we should not be trusting control of the power grid and industrial processes to an infrastructure without more professional oversight.  

No comments: