A major online security vulnerability that supposedly affected thousands of websites over the last two years was uncovered earlier this week, prompting a scramble to close the security hole.
The bug, labeled “Heartbleed”, may have allowed hackers to secretly extract sensitive consumer information and go undetected; however, it is equally likely that so far no one has actually taken advantage of the flaw. A Finnish security firm, Codenomicon, first discovered the bug, and Neel Mehta, an independent researcher working with Google Inc. (GOOG), diagnosed the threat at around the same time.
Heartbleed affects OpenSSL, an open-source encryption technology that is used on about 66% of all web servers. OpenSSL is used in many HTTPS sites that collect personal and/or financial information, and while most internet users do not exactly know what the encryption technology does, they do interact with it on a daily basis. Interaction can be as simple as entering in a password for an email account, or as complicated as filing tax returns electronically.
Google is extremely confident that the steps it has taken to protect its users against the Heartbleed bug are sufficient. The Mountain View, California-based company has issued a statement saying users do not need to change passwords to accounts currently being used to access Google services, including Gmail and YouTube.
Similarly, Facebook (FB), which has about 1.2 billion individuals accessing its website from all over the world, believes its security experts have taken all necessary actions required to protect users from the threat. Still, the company encouraged "people to take this opportunity to follow good practices and set up a unique password for your Facebook account that you don't use on other sites.”
The US Internal Revenue Service (IRS) issued a statement yesterday saying the agency has not been impacted by the bug. "The IRS advises taxpayers to continue filing their tax returns as they normally would in advance of the April 15 deadline," the agency said.
Tumblr offered its users some spot-on advice earlier this week. "This still means that the little lock icon (HTTPS) we all trusted to keep our passwords, personal emails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit," Tumblr said. "This might be a good day to call in sick and take some time to change your passwords everywhere — especially your high-security services like email, file storage, and banking, which may have been compromised by this bug."
Security experts, however, are of the opinion that simply changing passwords will not really solve the problem, and that a patch that effectively fixes the bug is needed. A fix for the bug has been available since Monday.
But Nathaniel Couper-Noles, the principal security consultant at Neohapsis, feels fixing the security flaw does not guarantee that people's online data was not compromised. "The horse may already be out of the barn, so to speak, if passwords or SSL keys were compromised before the patch was in place," Couper-Noles said. "It may take a considerable amount of effort and money to re-establish a nominal security level."
Some applications will therefore need to look into whether they need to revoke or reissue various digital certificates. A digital certificate validates a website’s authenticity and connections. Simply put, it serves to prove a website’s identity. Codenomicon discovered that the security breach could allow hackers to steal the keys attached to the website’s own X.509 digital certificate, which means that it is likely that any certification issued before the discovery of the Heartbleed bug could already have been compromised.
Therefore, sites must now not only upgrade to a patched version of OpenSSL, they must also determine whether their SSL certificates have been compromised. They must then get new certificates to replace the ones compromised in order to safeguard sensitive consumer information in the future. With the number of certificates that will potentially need to be revoked, it can take weeks for the internet to catch up.
What is scarier is the fact that nobody is able to reverse the damage that has already happened.