Governments are starting to respond to the Heartbleed bug that has captured the Internet’s attention for much of the last week. The United States Department of Homeland Security has published a blog post recommending that Internet users change their passwords as soon as they have confirmed that a website has been secured. The Canada Revenue Agency stopped offering online tax-filing services when the bug was first revealed earlier this week. Heartbleed hasn’t only captured the attention of security professionals — it’s caught the government’s, too.
But the bug might not be as dangerous as many first feared. CloudFlare writes in its blog that it has been unable to access private SSL keys on its software stack despite “extensive testing.” While the company does “not yet feel comfortable” saying that it’s impossible to grab private keys with the bug, it does say that “if it is possible, it is at a minimum very hard.” Heartbleed still represents a serious threat to Internet security, but most information is probably secure.
The Department of Homeland Security’s warning should help it stay that way. The constant coverage of Heartbleed’s affect on Internet security ought to convince both consumers and the companies responsible for their information that this problem is worth fixing. It might also make them rethink their reliance on software written by unpaid volunteers and trusted just because it’s open-source and thus viewable by anyone interested in checking its capabilities.
Heartbleed has a dire name. Its branding is better than most of the startup logos we’ve seen in the last few years. Those two things have no doubt contributed to its ability to make sure that everyone, from renowned security professionals and the Department of Homeland Security to the Canada Revenue Agency and tech bloggers, is paying attention to this critical flaw. And, perhaps more importantly, paying attention to the structural problems that allowed it to exist.
Reactions from around the Web
The Department of Homeland Security concludes its blog post with the following:
While there have not been any reported attacks or malicious incidents involving this particular vulnerability confirmed at this time, it is still possible that malicious actors in cyberspace could exploit un-patched systems. That is why everyone has a role to play to ensuring our nation’s cybersecurity. We have been and continue to work closely with federal, state, local and private sector partners to determine any potential impacts and help implement mitigation strategies as necessary.
Cybersecurity is a shared responsibility and when we take steps to ensure our own cyber safety, we are also helping to create a safer Internet for others.
CloudFlare writes about the issue on its blog:
While we believe it is unlikely that private key data was exposed, we are proceeding with an abundance of caution. We’ve begun the process of reissuing and revoking the keys CloudFlare manages on behalf of our customers. In order to ensure that we don’t overburden the certificate authority resources, we are staging this process. We expect that it will be complete by early next week.
In the meantime, we’re hopeful we can get more assurance that SSL keys are safe through our crowd-sourced effort to hack them. To get everyone started, we wanted to outline the process we’ve embarked on to date in order to attempt to hack them.
The Wall Street Journal reports that Wi-Fi routers have also been affected by the bug:
These devices likely will be more difficult to fix. The process involves more steps and businesses are less likely to check the status of network equipment, security experts said.
Bruce Schneier, a cybersecurity researcher and cryptographer, said, ‘The upgrade path is going to involve a trash can, a credit card, and a trip to Best Buy.’
But BBC says that despite the possibility of tampering, most home Internet tools will be safe:
There had been reports that domestic home networking equipment – such as wi-fi routers – might also make use of unpatched versions of the OpenSSL cryptographic library used to digitally scramble sensitive data.
However, a security researcher at the University of Cambridge’s Computer Laboratory said he thought this would be a relatively rare occurrence.
‘You would have to be a semi-professional to have this sort of equipment at home,’ Dr Richard Clayton told the BBC.
Pando weighs in
I wrote about the shaky idea that the Internet can ever truly be secure after the bug was revealed:
The bug is said to have been around since 2012. The sheer number of websites that use OpenSSL — including Yahoo, Imgur, and OKCupid — means that many millions of Internet users may have potentially had their privacy compromised over the last two years. Combine that with the news that Apple had failed to implement a security tool in its mobile and desktop operating systems for more than a year and the idea that anyone can ever be truly secure online seems permanently out of reach.
I then wrote about why being able to change your passwords is a good thing:
The good news is that passwords for services like Facebook and Gmail can be changed. It would be much harder to protect against compromised biometric security measures — what are you gonna do, burn your finger tips and tattoo some new patterns onto them?
Having to change all of your passwords sucks. Not being able to adapt to compromises in the security measures that protect all of your personal information, however, would be even worse.
And then I wrote about how small mistakes can have enormous consequences on the modern Web:
Finding these errors would be like finding a typo in “Infinite Jest” – it’s not going to be easy unless you know just what you’re looking for.
But the ramifications of these mistakes aren’t quite so minuscule. Hundreds of millions of people rely on Apple’s products to browse the Web. Even more interact with a large number of websites that use OpenSSL. It’s impossible to know how many people have been affected by these mistakes, but the threat itself has been enough to put security experts on high alert.
That’s the truth of Internet security. All it takes is for a team of professionals to miss two words, or for two unpaid volunteers to miss a “quite trivial” mistake in a widely-used utility, for the privacy of essentially everyone who uses the Internet to be threatened. Welcome to the Web, where a single misplaced strand can cause a disaster few will notice until years later.