Heartbleed: the unsurprising and the unexpected

The virus with the very evocative name has wreaked havoc on personal passwords, made security paranoids tremble and left the general internet population somewhat perplexed. I’m not an encryption expert, and in fact I have a serious problem remembering passwords (if I tell you my method for remembering them, my security-conscious friends will be screaming in horror and bashing my door down all weekend). But I was curious and a little bit worried, so I did some research. And what I discovered was in part unsurprising and in part unexpected.

heartbleed logo

The unsurprising part is the conflicting advice. Change all your passwords, now. Don’t change your passwords, not yet. A mixture of overreaction and better-safe-than-sorry led to a few somewhat frightening articles, while the security gurus understandably tried to maintain our faith in the system. I mean, just imagine if we never trusted Internet security again: businesses would fail, the e-economy would slump and a lot of hip people would be very depressed.

So why the confusion? Because it is, unsurprisingly, quite complicated and techy, but at the same time very important. Ironically, the bug lives in the security encryption software that was built to make the internet safer. Any url that starts with “https” instead of “http” is protected by something called Secure Socket Layer, which means that anything you type in anywhere on that webpage is encrypted before it is transmitted. So, in theory, your information cannot be intercepted and re-used.

OpenSSL is an open source encryption software (ie., anyone can use it, help yourself). Even though it may not be a familiar name to you, as many as two out of three servers use it. One version of this software, available since March 2012, contains a coding glitch through which hackers can pull a chunk of data from secure webs. (If you’re interested in a really technical explanation, here you go…). From that the hackers can not only get passwords, but, even more dangerous, the encryption keys, which means that they can intercept all future data from that website. So, while all affected sites are updating and patching to protect future transmissions, the hackers may already have your passwords, hence the recommendation to change them anyway.

Talk about having a bad weekend. A researcher at Google (or the testing company Codenomicon, it’s unclear) noticed the bug and right away informed the OpenSSL team. Sensibly, they didn’t go public with it right away, to avoid a large-scale panic. Instead, they started working around the clock to get the fixes in place, so that when the news broke, a solution was already available.

OpenSSL has released a fixed update, and only servers using the vulnerable version (versions 1.0.1 and 1.0.2beta, if you’re interested) need to be updated. Non-secure servers are unaffected, they’re as un-secure as they always were.  If you’re in doubt, you can use this web to check the server you want to log into, although apparently it does return some false negatives. If you’re not sure if a site you use is vulnerable, ask them. And if they haven’t patched their OpenSSL code yet, don’t change your passwords until they do – the hackers could see those, too.  Mashable published a useful list of sites for which you should change the password right away.

The transparency with which this is being dealt with is also unsurprising in this day of instant communication. A major mess-up like this, you would expect blame-passing and hiding. But no, I think that credit is due to the team at OpenSSL for being open about it and for fixing it as fast as they could. It is how all business should be conducted, not just Internet businesses, and they have set a good example.

So, on to the unexpected part: the depth and scale of this particular software glitch. The unsuspecting public generally trusts the security software. We’re all taught that the “s” in “https” means that the site is secure. So it is hard to digest that, guess what, your passwords may have been compromised.

Another unexpected and disconcerting aspect is that the vulnerability has been in place for about two years now. And the attacks leave no trace on the server, so there’s no way of knowing if your data has been extracted.  Feeling worried yet? Change your passwords on the vulnerable sites, and you’ll be fine. It is extremely unlikely that the same glitch will happen again, and I imagine that the testing procedures will be improved after this.

But for me the most unexpected aspect of this whole drama is that here we have a software bug with a logo. Has there ever before been a bug so famous and with such a catchy name that it gets its own logo? It could well end up becoming a brand. With T-shirts and memes (“I heartbleed you”) and maybe even coffee cups.

I mentioned before that I am incapable of remembering passwords. So I have LastPass installed on my computer. If you don’t know it, LastPass remembers all of your passwords for you, so that all you need to try to remember is your LastPass key phrase (I use a phrase from a book on my bookshelf, ‘cos I figured that if I lose the book – highly possible given the chaotic state of my study – I could always get another one… assuming I remember which book). It’s convenient, although I do get angry at it sometimes when it doesn’t remember a password I am sure I put in. And it’s free, with a payment option if you also want to use it on your mobile devices (I’m thinking about it, for the iPad). It sounds safe and convenient, no? Well, LastPass has announced that they are vulnerable to Heartbleed, but that no encrypted data was exposed because our passwords are also encrypted with another key that’s not on the LastPass servers. Don’t worry, you’re not the only one confused. On LastPass, your data is encrypted before being encrypted. Which, in retrospect, is pretty clever.

So are we safe now? No doubt very smart programmers are scrambling to find ways to avoid this kind of bug happening again. But, as in nature, viruses have a way of mutating and adapting, and we should always be aware that our data could be vulnerable. Me, I’m going to stick with LastPass and my scribbled-on piece of paper which I hide under the carpet (there, I told you, and now I have to go and change the hiding place since no doubt all the hackers reading this are going to try to break into my apartment in spite of my many impenetrable alarm systems).

unbeatable alarm system

Leave a Reply

Your email address will not be published. Required fields are marked *