Newly discovered Heartbleed vulnerability means most of the Internet is insecure
Researchers have discovered a vulnerability in the OpenSSL software library that, according to Ars Technica, opens two-thirds of the Web to eavesdropping.
Dubbed the Heartbleed bug, this vulnerability affects newer versions of OpenSSL, reportedly by "compromising the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content" of affected systems' memory. A version of OpenSSL that patches the vulnerability has been released -- the researchers who found the bug say that it's now up to software vendors to adopt the fixed version and notify their users of the problem.
The bug is said to have been around since 2012. The sheer number of websites that use OpenSSL -- including Yahoo, Imgur, and OKCupid -- means that many millions of Internet users may have potentially had their privacy compromised over the last two years. Combine that with the news that Apple had failed to implement a security tool in its mobile and desktop operating systems for more than a year and the idea that anyone can ever be truly secure online seems permanently out of reach.
Reactions from around the Web
Krebs on Security reports that a simple utility taking advantage of the vulnerability has been released:
Researchers have uncovered an extremely critical vulnerability in recent versions of OpenSSL, a technology that allows millions of Web sites to encrypt communications with visitors. Complicating matters further is the release of a simple exploit that can be used to steal usernames and passwords from vulnerable sites, as well as private keys that sites use to encrypt and decrypt sensitive data.CloudFlare has adopted the newest version of OpenSSL, which fixes the vulnerability:
Today a new vulnerability was announced in OpenSSL 1.0.1 that allows an attacker to reveal up to 64kB of memory to a connected client or server (CVE-2014-0160). We fixed this vulnerability last week before it was made public. All sites that use CloudFlare for SSL have received this fix and are automatically protected.
OpenSSL is the core cryptographic library CloudFlare uses for SSL/TLS connections. If your site is on CloudFlare, every connection made to the HTTPS version of your site goes through this library. As one of the largest deployments of OpenSSL on the Internet today, CloudFlare has a responsibility to be vigilant about fixing these types of bugs before they go public and attackers start exploiting them and putting our customers at risk. LastPass claims that its users' stored passwords will be unaffected by the vulnerability:
LastPass utilizes OpenSSL for HTTPS/TLS/SSL encryption and we were therefore “vulnerable” to this bug. For anyone who was using this tool: http://filippo.io/Heartbleed/#lastpass.com to check whether LastPass was vulnerable, it would have shown that we were vulnerable until this morning, when we restarted our servers after the patched OpenSSL software update.
However, LastPass is unique in that your data is also encrypted with a key that LastPass servers don’t have access to. Your sensitive data is never transmitted over SSL unencrypted - it’s already encrypted when it is transmitted, with a key LastPass never receives. While this bug is still very serious, it could not expose LastPass customers’ encrypted data due to our extra layers of protection. On the majority of the web, user data is not encrypted before being transmitted over SSL, hence the widespread concern. The Tor Project suggests staying away from the Internet for a little while:
If you're using an older OpenSSL version, you're safe.
Note that this bug affects way more programs than just Tor — expect everybody who runs an https webserver to be scrambling today. If you need strong anonymity or privacy on the Internet, you might want to stay away from the Internet entirely for the next few days while things settle. The Guardian recommends the same thing:
For users, the simplest thing to do may be to refrain from engaging in sensitive activities on the internet for a few days. Typical responses to security breaches, such as changing passwords may even serve to exacerbate the problem. While there are tests which will show whether a particular website is vulnerable, checking every site is cumbersome, and the most popular web-based test is suffering under heavy load.Perhaps Leah Reich (@ohheygreat) and Tim Maly (@doingitwrong) put it best on Twitter: