The Long Tail of Heartbleed

The Long Tail of Heartbleed

jonathan

A few months ago, every Tom, Dick and Harry on the Internet received news about a serious security vulnerability called Heartbleed. 99% would not have understood what on Earth it was, but all they knew is that their personal details were possibly at risk and the issue came complete with its own very snazzy, media friendly branding.

But what did all this fuss actually mean? What was the vulnerability? How was it discovered? And what are the long term implications for everyday Internet users and a small but well formed digital agency such as ourselves?  With these questions (and a long time ambition to sit at the front of a DLR train and pretend to drive) in mind, I headed to the ExCel in London’s Docklands to attend London Tech Week and a workshop on Heartbleed.

So what is it?

If you’re an Internet user then at some point over the last decade or two you’ve provided sensitive data to a website. This data would be stored on a number of servers and encrypted to protect hackers gaining access to your personal or financial details. As part of the common setup of many servers there is a piece of open source software known as OpenSSL, which plays a key part of that encryption and controlling access to the servers. OpenSSL contains a piece of functionality called ‘Heartbeat’ which accepts regular communications from an outside client and is supposed to deliver a simple return to inform the client the server is there and connected, without the need to re-establish connections.

The problem lies in the fact that there were insufficient restrictions put on just what the secure server would return. A potential attacker is able to trick the server into returning what is in its temporary memory at that time. 99% of the time this would be useless information, but if an attacker tried this enough times, eventually he or she could obtain encryption keys, and with it the ability to decrypt any information on the server.

Disclosure

One of the questions I had going into the workshop was about the far and wide coverage (which has spun off into a brand) that Heartbleed received. There had been no proof that Heartbleed has been discovered by anyone with malicious intent, so why make a big song and dance about it and potentially put at risk any servers that had not been patched to prevent the intrusion?

The workshop’s host, Martin McKeay, senior security advocate at Akamai (one of those companies that you’ve never heard of but is responsible for huge portions of every day web traffic), was kind enough to give me a perspective on this. The issue was discovered by a researcher at Google, who happened to be going through the offending code, and they started to share the information among a very closed group of people in the OpenSSL community. As a result, everyone who discovered and was told about the issue were benign, but the fact is that once the knowledge is out there it would gradually spread and spread until someone not so benign got hold of the information. At that point, they would have had n opportunity to exploit the issue at a time when no one in the wider tech community had any idea it existed.

So the full disclosure was made, to give everyone the information all at once. The severity and wide-spread nature of the issue was communicated so well that it spread past the confines of tech news and became a headline across the world. The response from server operators was swift and wide ranging. Our own hosts had applied the fix within hours of the disclosure, as well refreshing all our SSL certificates to ensure that, in the incredibly unlikely event that they had been targeted, that any leaked encryption keys would be useless.  Since Akamai was in possession of hundreds and thousands of keys, with everyone requesting their own to be refreshed RIGHT NOW, they had difficulty responding in a timely fashion. But in the end everything was patched, keys were refreshed and users were strongly advised to change all their passwords. But is that the end of it?

The Long Tail

The ‘long tail’ mentioned in the title of the piece is a phrase used by Martin at the Tech Week workshop and refers to the fact that this is an issue that will stick around for a while yet. While the impact of this bug is believed to be minimal, it has brought into sharp focus the efforts individuals need to make to ensure their data is secure, especially when it comes to passwords. A huge amount of people use repeated passwords, making the hacking of one system infinitely more dangerous to the user, so the fuss created by Heartbleed and the unprecedented coverage it recieved also should have a positive impact in the future. More web users are aware of internet security than ever before and that can only be a good thing. Martin’s talk at the London Tech Week workshop expressed some concerns and frustration that internet security has always been given less attention that it deserves from businesses and private users alike. Heartbleed has definitely shown us that this attitude cannot continue.

Leave a Reply

Your email address will not be published. Required fields are marked *