Heartbleed Not Done Bleeding Just Yet

by Jeff Wiener on April 10, 2015

It was a year ago this week that the online world was staggered when security researchers discovered a critical vulnerability in the foundational security technology of the Internet’s core infrastructure, a threat ghoulishly dubbed Heartbleed. Sadly though, a year later it looks like not much has changed regarding Heartbleed, except that we all seem to have forgotten about it.

Despite the pervasive threat posed by the Heartbleed vulnerability–last year analysts estimated that almost half a million websites could be affected–when the news first broke about Heartbleed the public’s response was one of battle wariness, clearly exhausted from the constant deluge of reporting on threats and hackers and cyber-crime.

So perhaps it’s no surprise that a year later a vast majority of online users haven’t even heard of Heartbleed, a disconcerting point given that the vulnerability is still alive and well on the Internet and continues to have the potential to bleed us of all our personal information.

When Heartbleed first reared its ugly head last year the IT industry was quick to respond, reissuing security certificates for websites to help reestablish the security of legitimate websites, helping to define them from the fraudulent ones hackers could use Heartbleed to create.

Like many solutions, however, this one was “quick and dirty,” and thus, ultimately ineffective. Most websites affected simply reissued certificates, failing to realize that the encryption keys used to issue those certificates were comprised as well.

“The problem with Heartbleed was that you have to assume that the key itself was compromised,” Kevin Bocek, vice president for security strategy and threat intelligence at Venafi, told TechNewsWorld. “If you don’t change the key, you’re not fixing the problem, because an attacker can use the key to spoof a site or perform a man-in-the-middle attack.”

But despite the media blitz and the attention grabbing headlines a year ago, ones that pulled no punches in explaining the possible doom and gloom scenarios Heartbleed posed to our online existence, it truly seems this threat has fallen victim to some sort of collective short attention span issue, as the public at large seems to have little or no idea that Heartbleed exists, or that it has ever existed.

According to a poll conducted by the Harris organization for Dashlane, in a survey of 2,000 American adults eighty-six percent has never heard of this online threat. Like many other things this is simply a case of out of sight, out of mind, but the problem is that Heartbleed is still here, and it won’t be going away anytime soon.

“There was a lot of coverage at the time, so it was hard not to hear about it,” Dashlane CEO Emmanuel Schalit told TechNewsWorld. “People just seem to have forgotten it.”

But the problem is that Heartbleed is really only a symptom of a larger, more important one: the dependence on under-managed open source infrastructure. As I explained last year, the compromised OpenSSL is an open-source implementation of SSL software, a free version of the Internet’s critical backbone security. The issue with this is not only is it widely deployed across the Web, but unfortunately despite its mass appeal, it has almost no oversight.

“About 66 percent of all servers connected to the Internet use some version of the OpenSSL library, but virtually no one is maintaining it,” said Pavel Krcma, CTO of Sticky Password. Simply put, this security option is free, it’s compromised, and no one is managing it; a perfect storm for nefarious cyber-criminals.

Given that a year later nothing has really changed regarding Heartbleed lends credence to my opinion that there may not be a solution to this problem at all, that this flaw is simply an inherent vulnerability in using free open-source infrastructure.

Now as applications, virtual machines and servers are replaced new encryption keys will be created and Heartbleed will eventually be rooted out, but that’s will likely take years. In the meantime about the only protection we have against it is the simple yet oft ignored mantra of the security world: change your passwords use unique passwords for every website, at least then if one is compromised the damage is compartmentalized.  Granted it’s not much, but against Heartbleed, it’s truly all we have.

Comments on this entry are closed.

Previous post:

Next post: