Happy (Belated) Birthday Heartbleed

Heartbleed Vulnerability Turns One Year Old

Earlier this month, the Heartbleed bug turned one year old. While security vulnerabilities don’t usually observe birthdays, this one was so big we thought it would be a good idea to take a look at where everything stands in regard to it one year later. For example, are lots of computers still vulnerable? And were there a few positives that came out of the whole experience?

What is Heartbleed?

Here’s a quick recap in case you’re still in the dark about this security vulnerability. Here’s what HeartBleed.com has to say:

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

If you’re more of a visual person, here’s a great comic by XKCD that sums it up.

XKCD
Source: XKCD

Why Was it Such a Big Deal?

To truly understand the importance of Heartbleed, you have to understand that OpenSSL, which is free open source software, is used far and wide on the internet. Additionally, when information about the vulnerability was released, it was done so to a few large companies before everyone else. (Yes, we’re talking about you, Google and Cloudflare). Granted, those are two big corporations that should have been told as early as possible – but why were they the only ones notified at first?

A broken disclosure process can make a small problem even bigger. Add to that the fact that Heartbleed, the name given to the vulnerability, had quite a bit of marketing pizzazz. Once the media and bloggers found out what was happening, the information avalanche ensued at breakneck speed. Because of the way information about Heartbleed was released, at least a few organizations were affected as early as April 8, 2014, a day after the announcement was made.

The Canada Revenue Agency (CRA) – like the IRS in Canada – had to shut down servers because of Heartbleed. This actually led to the first Heartbleed related arrest. With so many media websites and blogs talking about the issue, a lot of people began to realize the importance of OpenSSL. We even got an audit of Heartbleed, which was reported by El Reg earlier this year.  They wrote:

So far some US$3 million has been chalked up under the Core Infrastructure Initiative, thanks to contributions from Amazon, Google, Microsoft, Cisco, and Facebook, all of which have pledged $100,000 a year for three years.

First results of the audit are expected around July. The audit begins on the back of OpenSSL code reviews completed last month launched engineer Matt Caswell says on the realization that coding was “very unusual”, “inconsistently applied” and not formally defined.

We’ll have another update later this summer once the review of OpenSSL is completed.

How Many Servers or Devices are Still Vulnerable?

This is a good question. The answer depends on who you ask. Security vendor Venafi has rcently claimed that 7%  of the top 2000 companies around the world are still at risk from Heartbleed a year later. However, if you dig into the fine print of the study, you’ll see that they include not only servers that haven’t updated to the latest OpenSSL version. They also count all SSL certificates that need replaced. Over at eWeek they wrote:

Dmitri Alperovitch, CTO and co-founder at Crowdstrike, said that while replacing SSL certificates is certainly recommended, not replacing the certificates doesn’t necessarily mean organizations are still vulnerable to Heartbleed.

“It’s akin to saying that even though you’ve had heart bypass surgery to mitigate a clot in an artery, you are still in immediate danger of having a heart attack because you haven’t stopped eating fatty and unhealthy foods,” Alperovitch said at the time.

Indeed. On the other end of the spectrum, Qualys-sponsored SSL Pulse has said that only “0.3 percent of sites are currently at risk from Heartbleed.” Yes, that’s quite a bit of difference. Either way, the really important part of our Heartbleed Belated Birthday post is the fact that the vulnerability may have been helpful in raising awareness about internet security. Would the poor guy updating the OpenSSL code basically on his own have appreciated help a lot earlier? Yes, but it’s better late than never.

The SSL Takeaway: Did Heartbleed Change the Security Landscape?

When it comes to Heartbleed, one thing is certain – a lot of people outside of the security field actually sat up and took notice. While it’s a horrible way for a conversation about security vulnerabilities to start, the fact that more people were talking about SSL is a good thing. This thought was expressed by eWeek earlier this month, and we agree. Any time you can shine a spotlight on the importance of internet security in today’s connected world, it’s a good thing.

Lastly, we leave you with this nugget – Could Heartbleed Have Been Detected Sooner?