A Gaping Hole in Internet Security?
Yet another security hole in a widely-used Internet protocol has been discovered, prompting headlines about dire things that could have happened, may have happened, and might be happening to you this very instant. Here's what you need to know about the Heartbleed exploit...
What is Heartbleed?
The software flaw dubbed Heartbleed, which was discovered on Monday, April 7th, is a hole in OpenSSL, an open-source implementation of the SSL security protocol used to encrypt Internet connections. A new version of OpenSSL introduced in December, 2011, contained a programming flaw that has persisted to this date.
That software flaw, which security researchers are calling “Heartbleed,” allows an attacker to read the memory of an unpatched server that is running OpenSSL, exposing critical data such as the server’s master password and unencrypted portions of users’ communications, such as users’ passwords and session cookies.
The data that can be collected through this hole could be used to steal a user’s identity. An attacker could even gain full control of the web server and access to everything that passes through it. It’s a big hole, a very serious problem, and system administrators who use OpenSSL are rushing to patch it.
How bad is it? A staffer from Tumblr, a popular blogging site, was quoted in the NY Times as saying: “This still means that the little lock icon (HTTPS) we all trusted to keep our passwords, personal emails and credit cards safe was actually making all that private information accessible to anyone who knew about the exploit.”
To be clear, the implications of a security flaw such as this are astonishing. But personally, I don’t believe anything significant has happened or will happen.
I think we're lucky that the "good guys" discovered this bug and most websites were already fixed before the news about it spread far and wide.
Is There Anything You Should Do?
Out of an abundance of caution, I recommend changing the passwords for all your online accounts. If you receive notice from any site you know saying that it has patched OpenSSL and you should change your password, do it. Even if you don’t receive any notice, change your password on any site that requires a password to login.
There have been reports that two thirds of all websites might have been affected by the Heartbleed problem. But in fact, only 17 percent of secured Web sites are using OpenSSL in a way that exposes them to this Heartbleed vulnerability, according to Netcraft. That’s still half a million of the most popular destinations on the Web.
I want to emphasize that there have been no reports of security breaches attributable to Heartbleed. That doesn’t stop some from spreading Fear, Uncertainty, and Doubt. They argue that because the Heartbleed exploit leaves no trace, and so we just don’t know how many people may have been victimized. Therefore, it must be a lot of people, right?
But we WOULD know; the word “victim” implies that something noticeably bad has happened to you. Criminal investigations follow crimes, and if security researchers can find Heartbleed when they weren’t looking for it, then it’s likely that it would have been found during a forensic investigation. So I think it’s more likely than not that hackers have made little (if any) use of Heartbleed.
This is not the first major security hole found in OpenSSL. In 2006, a flawed version of OpenSSL was included in the Debian distribution of Linux. It was reported in 2008, so (like Heartbleed) it was potentially available to hackers for two years. There were no massive cyber-crime waves then, either.
About half a dozen times each year, I hear about a live hand grenade or artillery shell that is discovered in someone’s basement after lying there unnoticed since WW II. I’ve never seen a story about a neighborhood devastated by the explosion of such a thing. Yes, the thought that it could have happened is uncomfortable; but it didn’t happen.
Unless you run a web server which is vulnerable to this flaw, there's nothing you can do to protect against the possibility of an exploit. No anti-virus, firewall or encryption software on your computer will make a difference, because the problem is not on your end.
But it IS a good idea to change your passwords regularly. Maybe this is the excuse you need to get that task done. Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 9 Apr 2014
|For Fun: Buy Bob a Snickers.|
Are Social Networks Committing Suicide?
The Top Twenty
Geekly Update - 10 April 2014
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005
- Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- A Gaping Hole in Internet Security? (Posted: 9 Apr 2014)
Copyright © 2005 - Bob Rankin - All Rights Reserved