Heartbleed Demands OpenSSL Surgery
An especially dangerous web vulnerability was discovered and made public yesterday, known as Heartbleed. You should read no further and simply change your critical online passwords without delay. Seriously. Do it now.
You can get details in this CarnegieMellon CERT article, or for something less technical, the NYT Bits page. The Finns who discovered the problem put up heartbleed.com, but it is blocked by my corporate firewall so I hesitate to recommend it (although it’s probably because our software’s blocking rules aren’t very intelligent, or somebody just overreacted). The bottom line is that everything you thought was being safely encrypted as it was passed through a web server may have been exposed to hackers. Criminals exploiting this vulnerability can do so without leaving any trace that that they were in the server, so you won’t necessarily ever know that information was lost – until the criminals use it, of course.
One interesting side note is how the vulnerability came to light. Finnish security experts at Codenomicon discovered it and reported it to the Finnish cybersecurity authority responsible for making these things public; whereupon it turned out that researchers at Google were already working on it. I find it interesting, both culturally and from a regulatory standpoint, that the Finnish reaction is to mandate a government authority for the management of internet security threats, whereas on this side of the Atlantic its pretty much left to professional judgment.
It’s hard to say what’s the better approach. Disclosure can alert criminals to an opportunity. Presumably Google was working in secret in order to find a way to close the door before too many discovered it open; but at the same time, their secrecy prevented others from taking steps to protect themselves. Is it better to authorize a government organization to manage the disclosure? They could then coordinate a response, then make the problem public and recommend actions once an appropriate course has been determined. But we’d be trusting them to decide when to go public. There’s always the risk of telling the public too little, too late; or telling hackers too much, too soon. And while I can’t say I trust Google (or for that matter Symantec and their brethren) further than I can throw a driverless car, recent experience with government agencies in this sphere doesn’t inspire confidence.
« Less Uncertainty in Quantum Computing Managing For Heartbleeds »