This week has been riveting from the perspective of Internet Security. A tiny, yet devastating, security flaw was discovered in the OpenSSL library — literally the world’s most ubiquitous implementation of the SSL protocol.
The development of the SSL protocol in the mid 1990’s itself marked a watershed event in the evolution of the World Wide Web. Twenty years ago, “the Web” was simply a vehicle for sharing interesting content. Today, however, the Web is synonymous with buying products, paying taxes, making banking transactions, and even leveraging a plethora of business-grade services (e.g., SaaS applications) for carrying out important functions like customer relationship management, human resources, expense reporting, and payroll among other things.
For the Web of twenty years ago to become the Web of today, it was important to build in a security layer so that people could conduct online transactions safely. And the SSL protocol became that de-facto security layer. For people to be able to transact with confidence online, they had to believe that SSL was sacrosanct. They had to believe that the confidential data they transmitted over SSL was safeguarded against prying eyes.
The “Heartbleed” flaw, as it has been named, has cast a shadow on those beliefs. The flaw allows attackers to exfiltrate supposedly confidential data from Web servers on the Internet. That data could include passwords, Social Security numbers, etc. In extreme cases, it could contain actual cryptographic keys that the server used to encrypt and decrypt data. And with these proverbial (and literal) keys to the kingdom, an attacker could gain carte blanche access to anything sensitive you may have transmitted in the past.
Editor’s note: In the video below, Ramzan explains how Heartbleed works.
The Heartbleed flaw is surprisingly simple, which fortunately lends itself to an easy fix. With the flaw now being public knowledge, the next phase we have to deal with is damage mitigation and control. Web site operators need to upgrade OpenSSL and discard previous cryptographic keys in favor of fresh ones.
But what does it mean for you individually?
The conventional wisdom to change all of your online passwords still applies. However, before you do that, ensure that you can do so safely. Find out if the sites you visit have fixed the Heartbleed issue on their end. One way to do that is with this Heartbleed vulnerability testing site. Enter the domain name of the site you’re wondering about, and if the tester responds that the site seems safe, then you should be in the clear.
Only then should you update your passwords.
Also, because the attack could have been carried out for some time without anyones’ prior knowledge, be vigilant about checking credit card statements and such for fraudulent transactions.
Ultimately, the most damaging result from Heartbleed is that it has shaken our confidence in the Web. Because online transactions are second nature today, it’s easy to forget that underneath it all is a complex series of interactions among computers carrying out highly intricate operations. That complexity can lead to confusion — to the point where a devastatingly simple flaw can literally be hidden in plain sight.
Zulfikar is the Chief Technology Officer of Elastica. In this role, he drives Elastica’s efforts in leveraging data science and machine learning techniques towards improving the security of cloud services. Prior to joining Elastica, Zulfikar was Chief Scientist at Sourcefire (acquired by Cisco), within their cloud technology group. He holds a Ph.D. in Electrical Engineering and Computer Science from the Massachusetts Institute of Technology, with thesis work in cryptography.