Wednesday, April 9, 2014

OpenSSL Heartbleed: What does broken encryption actually mean?

The Internet is full of hyperbole, exaggerations, "the sky is falling tales" and the like. To be fair, there are lots of ways bad actors can cause trouble, but in most cases reality falls a bit short of the hype.

That may not be true in this case. Researchers Monday night published a report on the so-called "Heartbleed" bug, named for the heartbeat function it affects in the popular OpenSSL library. OpenSSL is used by many, many websites to enable encrypted communication between you and the web site. When you see the "padlock" icon in your browser window, it means your communication is encrypted - more often than not, that is OpenSSL at work.

Let's talk a little bit about encryption, since it is at the heart of this issue (no pun intended). Some really smart people figured out some mathematical algorithms where you could use one number to encrypt your information, but had to use a different number to decrypt it. Imagine a mailbox with two keys - one key locks the mailbox, but a completely different key unlocks it. You could share the first key with anyone in the world. They could put private mail into your mailbox and lock it, knowing that only with your second key could you open the mailbox.

Now imagine that everyone in town left copies of the first key in the public library - a "public key" that anyone else could get. If you wanted to give a message to Joe, you could go to the library, pick up Joe's public key, deliver your message to Joe, and lock the mailbox. You would be assured that only Joe could read the message because only Joe has the "private key" that opens his mailbox.

That is "asymmetric encryption," and that is what makes the Internet run. "Certificate Authorities" are the public library that issue these pairs of public and private keys, and that make the public keys available for anyone to use. Businesses obtain a certificate that says "this key is real" for specific web addresses. When you log in to Gmail, or buy an item from Amazon, your web browser automatically checks the certificate presented by the web site. It checks to ensure the certificate is for the right web site (Amazon.com and not A-Mazon.com, for example), that the certificate is still valid (this will become important in a minute), and that it was issued by a CA that is trusted (as opposed to "Joe's Crab and Certificate Shack").

You want encryption. When you log on to your bank, you don't want others to be able to intercept your traffic. When you log in to your email, you don't want others reading your messages. The same goes for Facebook / Instagram / Twitter / Social Media du jour. Encrypted web traffic is what enables online shopping, banking, investing, private communication, video on demand, and more. It's a good thing.

It's also something you expect to work. The Heartbleed bug allows someone to "read" a portion of memory on the web server - memory that may contain information that is no longer encrypted (SSL encrypts data in transit; once it reaches the server, it is decrypted so it can be used). This memory may include usernames and passwords, confidential messages, financial data, or in certain rare cases, the private key for that web server. With the private key, the attacker could then decrypt anything sent to and from that server.

Fixing this will require more than just a server update (though that is the critical first step). It is a certainty that much confidential information has leaked over the past 36 hours. Once the dust settles, there will be a lot of notices to change passwords. Since it is possible private keys have been exposed, many organizations will have to cancel their existing certificates and obtain new certificates and public/private key pairs.

The discoverers estimate that about 2/3 of all websites on the Internet are vulnerable. That includes banks, email providers, photo sharing sites, news media, and retail businesses, among other things. I have seen the bug in action, and it is startling how easy it is and how much information can be obtained. And there's nothing you can do to fix this - it's not malware that an antivirus program will help with, and it's not a bug on your computer that you can patch.

That's the bad news.

Now for the good news, such as it is.
  • The researchers did not reveal this until a fix was available, so vulnerable web sites can install a fixed version of OpenSSL right away (and many have already done so).
  • A person seeking to exploit this cannot predict what they will get - they cannot specifically target you (but that's little consolation if you log in to a server that they are watching).
  • Most (not all) banks that I have checked out patched their servers very quickly and are no longer vulnerable.
So what can you do about this? First, if you can, avoid logging into any web sites that you care about for a day or two while the owners have a chance to patch their servers and update their encryption certificates. This has been hot news since it was published, and server operators are scrambling to install the fix as fast as they can. http://filippo.io/Heartbleed is a tool that can quickly check a web site and let you know if it appears to still be vulnerable - this tool is getting very heavy use though so it may or may not work though.

Next, if you have not done so already, make sure you do not share the same password between different web sites (at least the sites you care about). There's at least a decent chance someone could scoop up your password from at least one site this week; don't make it easy for them to break into other accounts by using the same password.

Enable two-factor authentication anywhere you can. With 2FA, even if someone gets your password, they cannot log in to your account without having the second authentication method (often your cell phone).

Finally, expect (a lot of) notices to change your passwords over the next couple of weeks. One bad aspect of this vulnerability is it leaves no traces. There is really no way to know if a particular web site was compromised, so the prudent thing is for every web site to assume they have been breached. Keep in mind though that changing your password before a web site has been fixed does no good - your new password could be intercepted just as easily as the old one.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.