On Monday, information about the OpenSSL bug “Heartbleed” went out across the web. Crypto bugs usually expose things that are encrypted. Heartbleed exposes far more than that — it exposes the internal state of the webserver, such as other connections’ credentials. This allows something called ‘sidejacking’ of connections, which means someone who is merely connected to the same physical server you are (ie, yahoo.com) can get a copy of your credentials. Heartbleed acts on the most recent version of OpenSSL…the one that most “secure” servers have been running for two years. The bug itself is relatively recent as far as anyone knows, but it allows anyone at any time to view information transmitted across supposedly secure connections on the web: passwords, credit card information, online banking IDs, and so on.
This bug doesn’t affect the end user, except in that it allows your information to be stolen. The only people who can fix this issue are site and program sysadmins, programmers, and back-end developers, who have been scrambling this week to patch their back ends and replace their certificates, preventing the bug from accessing millions of users’ private information. Users must now check their favorite websites to see if they are safely patched, and then change their passwords. Mashable published a quick-and-dirty list of sites whose passwords are safe to change, and this fantastic open source tool was created the day the bug was announced to allow checking of other websites. Some sites seem unaware of the problem: my bank, for example, when I contacted them, would not give me information about whether they had patched the back end and changed their certificates, instead directing me to their security policy on the website.
This leads me to a major issue with bugs like this: lack of transparency. Rather than just answering my question about whether the terrible potential security breach had been fixed, my bank preferred to save face by merely directing me to information that did not answer my question. Large sites like Facebook and Twitter have not released statements saying they have plugged the leaks…they just quietly did it and expected everyone to assume they were safe. Not being willing to share information about the safety of a site through which I do my online banking means that I am not willing to bank there: lack of transparency has a real cost, both to me and to the bank. Many smaller sites and banks jumped to announce on Twitter and their blogs that they had patched the issue: working collaboratively against an enormous breach of public security is the only way to protect the community at large.
The EFF (Electronic Frontiers Foundation), an organization dedicated to free and open access to information, reported yesterday that there is some evidence that Heartbleed attacks were logged BEFORE knowledge of the bug became commonplace. This means that hackers who were aware of the bug would have had a leisurely period in which to poke around and exploit its vulnerabilities. There is also some evidence that government intelligence agencies were aware of the issue…and may have been using it to record and spy on personal, private information. When Edward Snowden revealed the depth of the NSA’s surveillance of online and phone transactions, people were horrified to realize that they had much less privacy than they thought. Heartbleed means that even information they thought was safely encrypted or inaccessible may have been available to the US government all along…for the past two years.
Tracking down who committed the bug will be a useful exercise in seeing whether or not this was an intentional act. It will also be interesting to see if this information is released to the public at large, given that the impact of WHO released the bug might have serious political repercussions. The need for transparency in news reporting, discussion, and government appears even more relevant and important when security issues like Heartbleed show up…and we are mostly unable to do anything about how much information we receive, while all of our information remains, whether we want it to or not, an open book.
(some text provided by Ray Lee)