Wednesday, April 09, 2014

Https undermined by discovery of "Heartbleed" vulnerability in Open SLL; the web's equivalent to Ebola?

There’s a lot of hype in the news suddenly about the Heartbleed Bug, starting with this reference site.   The bug would allow an attacker to read memory areas of OPENSSL software (where a “heartbeat” continues), which normally is expected to provide encryption with https.   The name of the vulnerability is metaphorical; it sounds like Open SSL is infected with Ebola virus (or at least Marburg).  CERT at Carnegie in Pittsburgh will have a lot to say about this one. (The name is "Heartbleed", not "Heartbeat").  
There is a technical explanation, in terms of actual code, on the Cryptography Engineering blog here.  It’s clear that any company offering https encryption for consumers or stakeholders needs to fix the problem carefully.
Codenomicon, involved with Google in discovering the flaw, has a write-up here
Media reports are saying that users should change all their passwords now.  But this probably wouldn’t help until companies have had time to fix the bug.  For many home users, a gradual change is probably what will be in order.  It’s not clear that this bug has related to actual losses, or whether there is any conceivable connection to the Target and other similar breaches.  It probably has exposed some people to NSA or foreign intelligence surveillance, but this may not be a practical concern for most average users or even small business owners.  It would be a problem for businesses that take credit cards online without outsourcing to much larger retail service vendors like Amazon.  Ticket vendor sites (which are difficult to keep track of anyway) are likely to experience issues. 
Timothy B. Lee explains the Heartbleed bug on Vox here.  It’s the “secret key” exposure that is serious for some users.  There’s no way to know for sure if a password of an institution not protected was changed.
Probably, most users will start getting notification soon from some of their financial institutions and perhaps social media sites and other vendors (like show tickets) that they should change passwords.  2-step verification could also be a valuable technique.   

Electronic Frontier Foundation calls this concept "perfect forward secrecy", story here
For some reason, Facebook these days is not always staying logged on.  I don’t know if this is related to the problem.
Back in the 1990s, a co-worker called me “Ebola Bill”.  For good reason?  

Update: later April 9

Tim Lee wrote another article urging users to change passwords now.  Here it is.  I haven't seen any emails from any vendors yet urging pw changes.  

No comments: