Last week’s announcement goes beyond the security community and you should not only be aware, but take some preventive measures. Read this article for the why and how this announcement affects you.
First things first; what is open SSL?: It is a service that is used by other websites to provide an encryption solution with encryption standards called SSL and TLS. This is an open source project where programmers “help out” for free in order to produce an enterprise-level solution for everyone to use for free. In layman’s terms, this is a security tool for websites to use and guarantee no one is snooping on your connection with them.
OK, but why does this affect me? Most websites that provide encryption do so in a fairly secure way, right? This is true, but the tool itself to provide security was the one affected. This issue affected the tools used to provide encryption to the point where not only a hacker could have broken that encryption, but it would be done so in a way that would leave no trace. So, even if everyone were to update their website with a corrected version right away, we would not know if the communications that you expected to have in private with that web service were actually intercepted. To top it all out, this bug was in place for the last 2 years (yes, you read things right: two years).
Who is affected? Everyone. Regardless of what and how you do things online, you are bound to have used a website that uses (or used) this type of tool.
OpenSSL is used in many of the most popular websites and web services available in the world. This security issue still affects millions of websites. Google, Amazon Web Services, RackSpace, Yahoo, Facebook, Dropbox, Flickr, Tumblr, Ars Technica, IFTTT.com, Blogger/Blogspot, Electronic Frontier Foundation, Etsy, Imgur, Instagram, Netflix, OKCupid, Pinterest, Stack Overflow, Wikipedia, Woot, WordPress.com/Wordpress.org, YouTube, etc are included in this list. Any communications you expected to be private cannot be guaranteed to be safe. This includes passwords, encryption keys, potentially Bank websites, accounts, other types of communications, etc. Even if you use encrypted email you are not completely safe. This is because most of the vendors providing with such encryption services were affected in the first place. And this is any encrypted communications for the last 2 years!
As an example; Google Services; the provider of the most popular smartphone in the world supports this platform with Google services, their Enterprise offering for email and tools (Google Apps) and many of their owned services use this tool. If you use any of those tools, you are still being affected by it. Even if you use any of those services outside of Android smartphones, like Apple iPhone, Windows Phone, BlackBerry, tablets such as Android, iPad, and even PCs such as Windows, Macs and Linux you are still being affected by it. Google’s services are just one example and the issue is much more widespread than just Google’s
A refreshing bit of news is that if you use Office 365 and all of Microsoft tools and websites have not been affected as Microsoft products as they use a different tool that was developed in-house. However, if you have Windows Servers hosted behind a Cisco firewall or other hardware that was affected, you should still be concerned.
What should we do? A fix is already out there and available for administrators to update their services. Meanwhile, you are still unprotected when using those websites. Beware. Once the fix is in place, the easiest thing to do is change passwords. This will make older passwords useless. If the site offers two-step authentication, start using it, this is much more secure than a password; regardless of password complexity. On mobile devices both smartphones and tablets refresh all connections by entering the username and password.
Now for some opinion of my own.
While open source is great to lower costs, it also means that there are no monetary incentives to produce solutions to known (or unknown) problems. Corporations have the monetary incentive to correct these errors immediately, otherwise their competitors take advantage of them. Quality control in this particular case was almost non-existent, and while I am a supporter of open source in principle, this is a wake up call for all the open source purists. For all the “corporate evil” open source may be up against, this non-profit organization failed to find and admit their error for the two years it took until it was fixed. Even more, the announcement was made in what seems to be a very inconspicuous way tainting the principles of the open source movement.
Announcement by OpenSSL.org
OpenSSL Security Advisory [07 Apr 2014] ======================================== TLS heartbeat read overrun (CVE-2014-0160) ========================================== A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server. Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1. Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley <firstname.lastname@example.org> and Bodo Moeller <email@example.com> for preparing the fix. Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS. 1.0.2 will be fixed in 1.0.2-beta2.