Wednesday, April 9, 2014

The 'Heartbleed Bug' OpenSSL Security Hole:
A User's Best Practice Response

--

It's two days after knowledge of the OpenSSL 'Heartbleed' security hole hit the streets. Every blog remotely interested in computer security is posting about it. It may be the biggest FUBAR blunder in recent computer history. But it may amount to much-ado-about-nothing. I suspect it will result in scattershot severe damage to a moderate number of Internet users.

Because of my manifesto for this blog, I'm not going to go into the guts of the problem. If you're interested in exactly what's going on, I suggest you read Dan Goodin's articles about the Heartbleed bug and watch Steve Gibson's 'Security Now!' podcast number 450, 'How the Heartbleeds'.

Critical crypto bug in OpenSSL opens two-thirds of the Web to eavesdropping
Exploits allow attackers to obtain private keys used to decrypt sensitive data.

Critical crypto bug exposes Yahoo Mail, other passwords Russian roulette-style
OpenSSL defect still exposing sensitive data even after patch is released.

GRC Security Now! Episode Archive

Before I get to the best response to this mess, let me list a few useful points about the situation:
  • The security hole is two years old.
  • It affects HTTPS encrypted connections to Internet servers.
  • The problem is at the server side, NOT the client side. There's nothing Internet users can do about it. Server administrators are responsible for patching.
  • Only one branched version of OpenSLL is affected.
  • Sadly that branch of OpenSLL is predicted to be used on ~60% of Internet servers.
  • It exposes a chunk of memory space that may or may not hold important data.
  • All the worries are about hackers stealing potentially important data from that exposed memory space.
  • That important data could include security certificates, user IDs and passwords.
  • There is no clear evidence that the security hole was maliciously created. It appears to merely be a coding blunder.
  • Yes, there may be justified paranoia about the code blunder being deliberate, as with Apple's recent 'GoTo Fail' SSL security hole.
  • Few of us will ever never know if the code blunder was deliberate. Therefore, don't let the FUD get you down. Return to balance and forge ahead.

WHAT TO DO:

--> Change all your Internet website passwords.

BUT: Wait until each individual website has verified they've patched their version of OpenSSL.

In other words, there is no point in changing your password at a website that has not patched this security hole. Zero! Nada! It might still be exposed to hackers, so what's the point.

This solution is incredibly frustrating. I entirely sympathize. I'm NOT looking forward to this process. I loathe and resent this situation. Who wouldn't? But this is the solution for Internet users.

Responsible websites will notify you via email or their home page to let you know when they've patched the security hole. Or, they'll notify you to let you know if there server is not affected. One or the other. Stay away from irresponsible websites that don't directly address this situation.

The PHISHING Effect: This situation will be exploited by phishing rats. You will receive faked emails claiming to be from websites you use. They will offer links where you can change your passwords in response to this bug. Those links will be fraudulent and lead you to fake versions of websites. Those fake websites will ask you for your ID, password, credit card numbers, ad nauseam. This will be a nightmare.

PLEASE read my recent article about Phishing. It will teach you one quick and easy method of identifying phishing scams:

http://mac-security.blogspot.com/2014/04/phishing-for-suckers-of-mac-user-variety.html

An article by my colleague Topher Kessler will provide you with further information about phishing:

http://www.macissues.com/2014/03/31/new-phishing-attempt-mimics-apple-support/

~ ~ ~ ~ ~

Q: Do we REALLY have to change all our passwords?

A: YES, except when a website verifiably notifies you that they did NOT have the Heartbleed bug. Otherwise, expect they have it or had it. Contact them and ask what's their situation.
~ ~ ~ ~ ~

Q: Do we REALLY have to wait until a website notifies us to change our password?

A: YES. If you haven't heard from a website regarding the Heartbleed bug, contact them and ask them what's their situation.
~ ~ ~ ~ ~

Q: What about websites where I don't use HTTPS?

A: SHAME on any website that doesn't use HTTPS! Contact the website and ask them why they don't protect their users with encryption. In this day and age, there is no excuse for not using HTTPS. None. Zero! Not kidding. I could rant for ages about irresponsible websites. 
~ ~ ~ ~ ~

Q: But doesn't the Heartbleed bug mean SSL/TLS/HTTPS isn't perfect and still might leak my private data?

A: Sadly, yes. But that's because we're still in what I call 'The Stone Age Of Computing.' Decades from now they'll look back on us with pity. Poor we who put up with user abuse and coding insecurity. We are 'the bleeding edge'. It hurts.

Meanwhile: SSL/TSL/HTTPS is the best we've got for now. Even with this nasty little Heartbleed bug, it's profoundly better than no encryption at all.

The Future Is End To End Encryption. 
Everywhere on the Internet. 
At all Times. 
Guaranteeing our universal right to privacy.

It's just taking us a painfully long time getting there. And yes, our own governments' undermining of that process is deliberately hurting its progress. But We The People forge onward, despite the crooks, kooks and treasonous criminals who abuse us. It is ever so with humanity. That's not going to change.


Brave faces!
Brave hearts!
Brave spirits!
We persist ever forward into positive change and sanity.


:-Derek




--






No comments:

Post a Comment