“There’s a security flaw in one of the basic encryption tools used by a huge number of websites, and it probably affects you,” Dylan Tweney reports for VentureBeat. “Just to be safe, you should probably change your passwords. All of them.”
“The flaw goes by the appropriately scary name ‘Heartbleed,’ and it affects OpenSSL, a data encryption library used by — potentially — more than two-thirds of the Internet’s websites,” Tweney reports. “In short, the bug means that attackers can ‘listen in’ on communications between those websites and the browsers visiting them.”
“The flaw exists in versions of OpenSSL that have been in use for about two years, and no one knew about it — no one legitimate, anyway — until a few days ago. Since then, the security researchers who discovered the bug have notified some of the major affected websites as well as the organization responsible for OpenSSL, which has already issued a fix,” Tweney reports. “They have also published an informational web site, at Heartbleed.com. That means major web sites should be fixed soon, if they aren’t already — but given how widespread the bug is, it may be weeks, months, or even years before the affected version is completely out of distribution.”
Read more in the full article here.
Who wants to bet the NSA is scrambling to exploit this as fast as possible and stock pile ‘information critical to national security’? 😃
The Snowden leaks clearly say that the NSA had unrestricted access to nearly all web servers, unfettered by most encryption. It’s a bit less clear on the ‘how they do it’ part.
Who wants to be the NSA is responsible for planting this vulnerability in OpenSSL in first place, and have been exploiting it from the start?
The verdict on the security hole, at least at this time, is that it was a coding blunder. There is no ‘appearance’ of tampering, just blundering. It only affected one branch of OpenSSL, and that branch only had the blunder as of two years ago.
But, as with Apple’s recent ‘GoTo Fail’ coding blunder, there’s always going to be that element of justified paranoia about deliberate surveillance.
All I can say is that FUD is a propaganda tool used to mess with our minds and throw us off balance. Once off balance, the crooks strike and throw you to the ground. THEREFORE: Learn how to return to and maintain your balance in spite of all the FUD. That’s the single best response to any of the FUD mongering we’re subjected to 24/7. Just shut it off if you have to. Take reliable steps to kill the FUD where you can, whatever those steps may be, when you have the inspiration and energy. For example: My typing up this comment takes next to no energy and requires next to no stress.
It might be a coding error. Can’t deny that possibility. However, if anyone wanted to sabotage a critical part of security on the web, and get away with it, they would want the code that does it to look as ordinary and unassuming as possible – they aren’t going to write a subroutine called SabatageWebSecurity. It would look exactly like an ordinary feature or bug that just happened to seriously compromise security.
It’s very difficult to make an intentional security hole look like an error. Remember, there are all kinds of logs, reviews, etc. that occur with software of this level, and something mysteriously changing would be discoverable (even if it was after the fact) and identified as to being malicious or simply an error.
Additionally, the error is present in a branch which can easily be “diff’d” from the other branches (diff-ing forks is something reputable projects like OpenSSL do before accepting the changes back into the main branch), so it’s not like the NSA can sneak this in. They might do their own diff’ing and check for vulnerabilities being introduced that they can exploit, but for folks to assert they were responsible for the hole is pretty stretchy thinking.
Someone looking at the code or running tests on it SHOULD have detected this much sooner, regardless of if it was a mistake or deliberate. Obviously, this gaping security hole passed through quality control somehow, and remained in released software for years without drawing attention until now.
Not saying it’s easy to do something like this deliberately. Hundreds of man hours could have gone into contriving a change into only a couple lines of codes, or even single comma in the branch diff. Not to mention infiltrating the right tech companies, gaining trust in open source communities. They could even alter code review and security screening procedures, and easily explain such changes with time and budgetary constraints – so that certain “bugs” don’t get detected.
https://simple.wikipedia.org/wiki/Occam%27s_razor
But on a more serious note, I was wondering, should we be rushing to change our password if the exploit is still going to exist for some time? Can’t it just be stolen again?
Right. DON’T change your password on a compromised site. You need to be able to verify that the site has fixed the bug before changing it.
*DING* I reiterated the same below…
but how do you know if its a compromised site? early reports are that nearly all major web sites, when their people asked, have not heard of the problem.
Link leads back to the article.
Don’t expect the same level of dedication to excellence from MDN as you would from Apple. MDN still works below the Android level.
well, I bet it gets lots more hits than 313c7roDailyNews.com.
The vulnerability is most important when used by sites you don’t have access to so you can’t check what version of OpenSSL they are using.
But on sites I can check, I see that:
10.6.8 – OpenSSL 1.0.0c 2 Dec 2010
10.9.2 – OpenSSL 0.9.8y 5 Feb 2013
So while I can’t explain why the version number for Mavericks is lower than the version number for Snow Leopard, the important point is that stock Macs aren’t susceptible (according to Heartbleed.com, the 0.9.8 and 1.0.0 branches are not vulnerable).
I worded that first sentence weirdly. I was trying to convey that sites you use but don’t have admin access to don’t give you a way to check their version of OpenSSL (at least not easily!).
Keep in mind that the problem is on the SERVER side. That’s where the hackers grab the data within the exposed memory space. Obviously, if you’re running a server, then it’s patching time.
Ideally, Apple will catch up all Macs using OpenSLL within the 1.0.0a-f branch to 1.0.0g.
Isn’t it interesting that Apple went back to the 0.9.8 branch! I wonder why. It certainly proved useful in this case.
Yup: And both systems I was checking were OS X server sites.
Side note: A lot of the “nerd” crowd (I’m expressly not calling them hackers in this context) jump down Apple’s throat for not running the latest and greatest of the Open Source libraries that are included in OS X. Sometimes (like now) the reason becomes painfully obvious!
Because of an element of anarchy amidst open source projects, there are ‘branches’ that change something. But an older ‘branch’ can continue onward without that change and turn out to be better than that other ‘branch’. Where this gets confusing to the non-geekified is the numbering system. That version 0.98 is superior to 1.0.0f doesn’t make any sense, except within the open source project.
You’re getting some wires cross.
This bug existed in the 1.0.1 branch of OpenSSL, and it was fixed in the “g” version of that branch.
There’s two other branches of OpenSSL widely in use, and that’s 0.9.8 and 1.0.0. Neither of those were vulnerable to the bug.
Of course later versions would be considered “superior” in terms of feature and functionality, but with changed code also comes potentially less stability, so older versions would be considered more stable and “safe”. They’ve had more review time by the community.
Thank you. I left the ‘1’ out.
It’s typical media hysteria and likely entirely orchestrated by Microsoft. A two year old bug conveniently announced on day of end of support for XP with designer logo and even a preregistered domain – heartbleed.com
I smell dirty tricks. – this is clearly no ordinary zero day bug announcement.
The domain was created 2014-04-05 at 15:13:33 by Marko Laakso in Finland. His bio is public: http://investing.businessweek.com/research/stocks/private/person.asp?personId=138420243&privcapId=133209054
And he’s directly associated with the ex-head of security at Microsoft. You’re way too gullible son.
Thanks for the chuckle. I’ve been in this industry since the days of toggling address switches on a DEC PDP-11/35. I left my gullibility days behind me around the time Pres. Reagan got shot.
That domain was registered less than a week ago, according to public records. Heartbleed proof of concept code is also public record now and verified by numerous security experts – not sure how that could possibly be faked.
I’m not saying it was faked. It was curiously timed to be announced on a day of huge embarrassment for Microsoft. To much fanfare. On the very same day when many would consider switching to unix based platforms to replace the now defunct XP.
No one who is still using XP is considering switching to Unix. No one.
For small businesses, the debate is going Windows 8 or Mac.
For embedded systems– like ATMs — the debate is spend lots of money or do nothing and hope for the best.
You talk with the authority of a misinformed arrogant jerk. Very typical of an IT doofus I would guess.
Actually, I’m a graphic design doofus, but thanks for the kind words.
But really, do you think a lot of hard-core tech heads — the only people skilled enough to go with a Unix system — are still plugging away on XP?
“…the only people skilled enough to go with a Unix system…”
Not that it matters much, but you mis-read/mis-understood what Russ wrote: “…would consider switching to unix based platforms…”
Russ is –without a doubt— referring to Mac OS X, Linux, etc, which are based on Unix. i.e. http://www.apple.com/osx/what-is/
I use Mavericks, 10.9.2. On this system, /usr/lib/libssl.dylib is a link to libssl.0.9.8.dylib, which according to http://heartbleed.com is *not* compromised by this bug.
CoreFoundation.framework uses libssl.0.9.7.dylib, also unaffected by the bug.
I don’t know if any apps are statically linked with their own version of openssl. If so, who knows which version they use? But the version supplied by the system for dynamic linking appears to be unaffected by the heartbleed bug.
This security hole is beyond most people’s comprehension and I honestly don’t know what useful suggestion there is to make except to Change All Your Passwords. How are people supposed to respond to that?
The nature of this security hole leaves it up in the air as to WHAT was stolen and IF anything was stolen. It simply exposes one chunk of data space that could hold anything, from security certificates to your ID and password who-knows-where across the Internet.
IOW: This is FUBAR. The ramifications may be nothing or everything. I expect the resulting mess to be somewhere in the middle with scattershot severe damage to Internet users.
Oh, and you can bet the NSA knew about this security hole and have a server farm filled to the gills with all the crap they culled over the last two years.
Very frustrating.
But yeah. The best response really is to change all your passwords. HOWEVER: Don’t do it until each specific service on the net has verified that they have patched this security hole. If they haven’t, you’re wasting your time. Net sites ignoring this security hole should literally shut down until they’ve patched it. AND we shouldn’t be using any service that hasn’t stated they’ve patched the hole.
If you actually run an SSL server, that’s a very different and more dire story.
OMG frustrating.
Dan Goodin over at Ars Technica has been the best writer about this security hole. You can check out his three (so far) articles about Heartbleed here:
http://arstechnica.com/author/dan-goodin/
And, while this is going on, Apple was drug across the floor over it’s SSL bug. Not that it’s any better, but it seems that Apples bug didn’t matter much a hill of beans across 66% of the Internet. SSL is leaky, as well as most OSes and security is more or less obscurity rather than real.
You might as well send your cheque in the mail.
I would tend to believe these holes are deliberate, espionage, rather than accidental. They are too clean.
It’s certainly a possibility. But what’s to actually *know*? Don’t let the paranoia rot your brain. Staying balanced is more important.
I don’t let it bother me. I really don’t know. But I can tell you, when many people are paranoid around you, it’s highly contagious. It creeps in, and it’s human nature.
That’s why propaganda is as ancient as mankind: Manipulating others to one’s advantage. FUD is but one tool.
Then there’s the real world.
But, see, Derek, this is the key. The human world of ideas IS the real world. The existence of an objective reality is irrelevant to our lives, for we live them according to our ideas, and fight and die according to our prejudices. The only saving grace is that after these sorry tribes, essentially insane, have wiped out one another, Earth abides.
You say it so much more elegantly that I.
When i was 13 I dreamed about mankind’s worst enemy: Deceptive ‘Truth’. That’s when I started using the phrases ‘Inner World’ and ‘Outer World’. I then broke outer world into ‘Man’s World’ and ‘God’s World’ (aka the natural world. I’m very pantheistic I’m told).
Then I learned about General Semantics in college. Right up my alley. Words are symbols, not the things. The verb ‘to be’ describes nothing. Therefore avoid it and use descriptive words instead.
Then I learned about Zen Buddhism where human symbols are made ridiculous to the point of meaningless. Everything is immediate experience. It was extremely revelational, catapulting me out of ‘the box’.
But I always strove to make the best I could of my meagre language skills in order to tell the stories I created to entertain myself, stuff from my personal inner world that talked about human abstraction versus whatever ‘reality’ there may be out there that we are incapable of every comprehending in total. Thus my phrase: We never know everything about anything.
IOW: We grok girl. I very much admire your inner world.
Your words made me smile. *heart*
That phrase of yours, ‘we never know everything about anything’ … surely, that refers to a different ‘we’, outside the confines of this dazzling marketplace of expertise! Why, we have thinkers here who can interpret facts any number of different ways with a snap of the fingers! MDN ought to stand for Mensa Daily News.
😉
It isn’t paranoia if they really are out to get you!
It’s a different thought realm once you’ve verified your paranoia is real. At this point in my education about the creepy side of our species, I can only say: Don’t go into desperation mode. When you do, find your way out again. Desperation makes all of us stupid and incapable of rational thought. Personal experience out the ears speaking.
NO, DO NOT change your password unless the site tells you to do so (by site bulletin or email). Doing so will EXPOSE you since hackers now know about this vulnerability and are actively exploiting it. DO NOT login to any site you can avoid until notified that the site is safe. You may actually have to VISIT your bank.
I pointed that out. Excellent advice.
ALSO reset you browsers to get rid of any cookies which might house your credentials. These could EXPOSE you if you visit those sites which will automatically upload you cookies.
Except cookies don’t ‘house’ ssl credentials. Stop being a FUD merchant.
And do we really expect all of these sites/servers to announce to the world that:
1) they have identified they had the bug (and open themselves up to potential lawsuits); or
2) announce that they have upgraded, thus basically announcing that they had the bug previously, and telling people it’s safe to change their passwords?
As WhoKnows and Derek Currie pointed out, changing your password is pointless until the server side is patched, but there is no way for us Average Joes to know that.
Frankly I’m tempted to let things be unless I see some problem develop. Is that dangerous? Perhaps, but it doesn’t seem any more dangerous than communicating with a compromised website to change my password now that the bug has been announced to the world (and data thieves everywhere).
Bizlaw – Yes. I’ve already received several notices that say exactly that. If it’s a reputable site, they should immediately update (if they need to) and announce it.
Snowden said that the World Wide Web is wide open to spies. In all likelihood, this vulnerability is one of many used by spies that are unknown to the general public, and many more like it are going to be discovered over the coming years.
√
Have you read “The Girl with the Dragon Tattoo”?
I have not. You recommend it?
Yes, I recommend the book but not the American movie. One of the major plot mechanisms is black hat hacking on a really sophisticated level. It is a fascinating part of the plot in the book, but glossed over in the movie.
That novel’s original title, in Swedish, was ‘Men Who Hate Women’. Larsson wrote it as an apologia for his personal crime of omission, and it bloomed into a wildly successful trilogy that shone a harsh spotlight onto misogyny, politics, and corrupt human nature. At the centre of everything is trust. Losing that, we are all doomed.