First published: 30th April 2014
The biggest IT security story this month, the Heartbleed bug in OpenSSL, has reached the mainstream news media, so it would be a glaring omission not to mention it in this newsletter. Enough has been written about it elsewhere, so this is a summary and some pointers for anyone wondering about it a little.
What is Heartbleed?
It is a bug in some versions of software used to protect data being transferred across the internet.
Which software?
OpenSSL 1.0.1 to 1.0.1f. OpenSSL is software to make SSL connections, other packages do the same thing.
What does that do?
It encrypts data before sending it across the internet and, at the other end, decrypts the data.
How does Heartbleed Work?
The webcomic XKCD has an excellent cartoon explaining how Heartbleed works.
Am I Affected?
Yes. SSL is very commonly used to protect sensitive web pages. If you have noticed an address starting https: instead of http:, that site was using SSL to encrypt the data for transfer - both the webpage contents, and anything you sent to the website. It is also used in many other situations where sensitive data is transferred.
Now, your computer may be using different software for SSL, but, if the other end is using OpenSSL, an attacker could target that and get your information. So, you are affected even if you are not using OpenSSL yourself.
What Do I Do?
Are you a system administrator or a user?
System Administrators
- Patch your systems. OpenSSL 1.0.1g has been released. Install it as soon as possible.
Then, get new certificates for your servers.
Is a change of certificates a must?
Yes, it is. You're worried that your users will have trouble with the applications dependant on the certificate. Unfortunately, there is no way of knowing whether your server's private key has been copied, so, to be safe, you must get new certificates. This will be a real pain if your users have added an exception for your server certificate, you will have to tell them all about the new one, and what to do with it.
However, if you know the private keys of the certificate chain have not been exposed (i.e., they have never been present on a vulnerable host) it shouldn't be necessary to change those certificates. So, if you generated your own self-signed root cert and kept the private key safe and your clients have imported that root cert, they will accept the new server certs you generate using the same root.
This also will not be an issue if you are using a certificate issued by a widely-recognised CA.
- Tell your users to change their passwords.
Users
When the systems administrators of vulnerable sites tell you that they have updated their systems and installed new server certificates, change your passwords.
If you use the same password on multiple sites, you are very naughty. Now you have to change the passwords on sites that were not vulnerable, but you used the same password as a vulnerable site. This time, please use different passwords on each site. Use a password manager if you find it difficult to remember them all.
What Data Has Been Stolen?
No-one knows.
The good news is, if systems administrators and users promptly follow the advice, no more data will be compromised by Heartbleed.
The bad news is, we do not know if anyone else knew about the flaw and used it before the announcement was made. There are no clues left if it is used, so, in the worst case, criminals (or hostile governments, etc.) could have been quietly exploiting the Heartbleed flaw for up to two years.
On the other hand, the more criminals that knew about it, the more likely it would be that someone got careless and left clues that would lead security researchers to realise what was happening. So, perhaps only a small number of criminals were using it, presumably to attack high-value targets. It's all guesswork.
What does this mean for Open Source Projects?
This will add fuel to the open source/proprietary software argument. Open source says, "anyone can look for bugs" but, in reality, few do, and OpenSSL had only 4 overworked contributors. On the other hand, nothing about proprietary software makes bugs like this less likely or easier to find. The only thing guaranteed is that they will have a better PR team reassuring people that "there are no confirmed cases of this being exploited". Perhaps a few more techies can persuade their managers that contributing time to open source projects is valuable to their organisations.