Why You Should Be Concerned By The Latest Security News – OpenSSL & HeartBleed

Is your information really safe?
Is your information really safe?

Last week’s announcement goes beyond the security community and you should not only be aware, but take some preventive measures. Read this article for the why and how this announcement affects you.

First things first; what is open SSL?: It is a service that is used by other websites to provide an encryption solution with encryption standards called SSL and TLS. This is an open source project where programmers “help out” for free in order to produce an enterprise-level solution for everyone to use for free. In layman’s terms, this is a security tool for websites to use and guarantee no one is snooping on your connection with them.

OK, but why does this affect me? Most websites that provide encryption do so in a fairly secure way, right? This is true, but the tool itself to provide security was the one affected. This issue affected the tools used to provide encryption to the point where not only a hacker could have broken that encryption, but it would be done so in a way that would leave no trace. So, even if everyone were to update their website with a corrected version right away, we would not know if the communications that you expected to have in private with that web service were actually intercepted. To top it all out, this bug was in place for the last 2 years (yes, you read things right: two years).

Who is affected? Everyone. Regardless of what and how you do things online, you are bound to have used a website that uses (or used) this type of tool.

OpenSSL is used in many of the most popular websites and web services available in the world. This security issue still affects millions of websites. Google, Amazon Web Services, RackSpace, Yahoo, Facebook, Dropbox, Flickr, Tumblr, Ars Technica, IFTTT.com, Blogger/Blogspot, Electronic Frontier Foundation, Etsy, Imgur, Instagram, Netflix, OKCupid, Pinterest, Stack Overflow, Wikipedia, Woot, WordPress.com/Wordpress.org, YouTube, etc are included in this list. Any communications you expected to be private cannot be guaranteed to be safe. This includes passwords, encryption keys, potentially Bank websites, accounts, other types of communications, etc. Even if you use encrypted email you are not completely safe. This is because most of the vendors providing with such encryption services were affected in the first place. And this is any encrypted communications for the last 2 years!

As an example; Google Services; the provider of the most popular smartphone in the world supports this platform with Google services, their Enterprise offering for email and tools (Google Apps) and many of their owned services use this tool. If you use any of those tools, you are still being affected by it. Even if you use any of those services outside of Android smartphones, like Apple iPhone, Windows Phone, BlackBerry,  tablets such as Android, iPad, and even PCs such as Windows, Macs and Linux you are still being affected by it. Google’s services are just one example and the issue is much more widespread than just Google’s

A refreshing bit of news is that  if you use Office 365 and all of Microsoft tools and websites have not been affected as Microsoft products as they use a different tool that was developed in-house. However, if you have Windows Servers hosted behind a Cisco firewall or other hardware that was affected, you should still be concerned.

What should we do? A fix is already out there and available for administrators to update their services. Meanwhile, you are still unprotected when using those websites. Beware. Once the fix is in place, the easiest thing to do is change passwords. This will make older passwords useless. If the site offers two-step authentication, start using it, this is much more secure than a password; regardless of password complexity. On mobile devices both smartphones and tablets refresh all connections by entering the username and password.

Now for some opinion of my own.

While open source is great to lower costs, it also means that there are no monetary incentives to produce solutions to known (or unknown) problems. Corporations have the monetary incentive to correct these errors immediately, otherwise their competitors take advantage of them. Quality control in this particular case was almost non-existent, and while I am a supporter of open source in principle, this is a wake up call for all the open source purists. For all the “corporate evil” open source may be up against, this non-profit organization failed to find and admit their error for the two years it took until it was fixed. Even more, the announcement was made in what seems to be a very inconspicuous way tainting the principles of the open source movement.

Announcement by OpenSSL.org

OpenSSL Security Advisory [07 Apr 2014]
========================================

TLS heartbeat read overrun (CVE-2014-0160)
==========================================

A missing bounds check in the handling of the TLS 
heartbeat extension can be used to reveal up to 64k of 
memory to a connected client or server.

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected
including 1.0.1f and 1.0.2-beta1.

Thanks for Neel Mehta of Google Security for discovering 
this bug and to Adam Langley <agl@chromium.org> and Bodo 
Moeller <bmoeller@acm.org> for preparing the fix.

Affected users should upgrade to OpenSSL 1.0.1g. Users 
unable to immediately upgrade can alternatively recompile 
OpenSSL with -DOPENSSL_NO_HEARTBEATS.

1.0.2 will be fixed in 1.0.2-beta2.

This post has been viewed 5636 times.

About Diego Samuilov

Editor in Chief/Founder Diego Samuilov is an executive, consultant, IT strategist and book, e-book and web published author. Diego has worked in Microsoft’s environments since 1990. Since then, he has successfully filled many positions related to the Software Development lifecycle. Having worked as a developer, analyst, technical lead, project lead, auditor and, since 1996 a project manager, manager, director and VP in the Software Development, Server, Desktop and Mobile environments. Diego is very passionate about the software development process, which has played a great part in his skills development. Since the introduction of the first ever PDA (the Apple Newton MessagePad) in 1994 and Windows CE in 1998 he has pioneered and pushed the envelope in the field of mobile software development. He has developed many solutions used in mobile markets, desktop and server environments. He participates in public and private developer community events. He actively collaborates with the community at support forums and blogs. Diego is the author of "Windows Phone for Everyone" available [HERE].
  • Eric Alter

    Excellent article! I think your opinion is also well-stated, and I do agree with most of it, however, I would like to add that the best solution may lie somewhere in between open-source and corporate. While investing in proprietary intellectual property (software) may be one way to defeat criminals and hackers, aligning as many sharp-minded individuals as possible to play on the good-guys’ team would be another, so that lower-cost opportunities like open-source software probably has more potential for such an approach.