The race to fix SSL Heartbleed gets under way

One of the most serious security flaws ever has set the whole of the IT security industry on its mettle as it now races to get hundreds of systems and services patched

  • 10 years ago Posted in

The race is now on to re-secure thousands of cloud services, service providers and an unknown quantity of end user client systems following the announcement of the SSL Heartbleed security flaw this week.

One of the key steps in this is the need for concerned service providers and website operators to issue new digital certificates which encrypt traffic between users and a Web service online services, and New Jersey-based Comodo has already issued `tens of thousands’ of new certificates over the last day or two.

It is thought that the Heartbleed vulnerability, which allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet, might also allow an attacker to obtainthe private key for a SSL (Secure Sockets Layer) certificate. With that, an attacker could create a fake website with an SSL certificate that passes the verification test indicated by a browser’s padlock.

The flaw can also be used by an attacker to pull sensitive data such as recent user login details, in 64K chunks from a Web server.

According to statistics on web servers compiled by Netcraft, the vulnerability could affect as many as 500,000 websites using digital certificates issued by trusted certificate authorities.

One of the worrying aspects of the bug is that it is difficult to know if any hackers have actually used it, for no trace is left of any malicious access to a website. So it remains unknown at present if cybercriminals or state-sponsored hackers had been exploiting the flaw prior to its public release.

It is to be assumed, however, that if the flaw has been spotted by security professionals then it will also have been spotted by some in the hacker community.

The issue has not been helped by the fact that the normal approach to handling the discovery of such a flaw was, it appears, not followed with Heartbleed. Normally the security companies are advised at the same time and all work to create patches for the flaw before it is publicly announced. That way, the security industry as a whole could present a coherent defence against it.

This time, however, it appears that the normal disclosure procedure broke down and only two companies, Google and Cloudfare, were informed early and had patched their services before the public disclosure.

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software, albeit in 64kByte chunks. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

As long as the vulnerable version of OpenSSL is in use it can be abused. Affected users should upgrade to OpenSSL 1.0.1g.

 

Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

 

Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use.

Talent and training partner, mthree, which supports major global tech, banking, and business...
On average, only 48% of digital initiatives meet or exceed business outcome targets, according to...
GPUaaS provides customers on-demand access to powerful accelerated resources for AI, machine...
TMF Group, a leading provider of critical administrative services for global businesses, turned to...
Strengthening its cloud credentials as part of its mission to champion the broader UK tech sector...
Nearly all UK IT managers surveyed (98%) state cloud investment is an organisational priority for...
LetsGetChecked is a global healthcare solutions company that provides the tools to manage health...
Node4 to the rescue.