The race to fix SSL Heartbleed gets under way

One of the most serious security flaws ever has set the whole of the IT security industry on its mettle as it now races to get hundreds of systems and services patched

  • 10 years ago Posted in

The race is now on to re-secure thousands of cloud services, service providers and an unknown quantity of end user client systems following the announcement of the SSL Heartbleed security flaw this week.

One of the key steps in this is the need for concerned service providers and website operators to issue new digital certificates which encrypt traffic between users and a Web service online services, and New Jersey-based Comodo has already issued `tens of thousands’ of new certificates over the last day or two.

It is thought that the Heartbleed vulnerability, which allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet, might also allow an attacker to obtainthe private key for a SSL (Secure Sockets Layer) certificate. With that, an attacker could create a fake website with an SSL certificate that passes the verification test indicated by a browser’s padlock.

The flaw can also be used by an attacker to pull sensitive data such as recent user login details, in 64K chunks from a Web server.

According to statistics on web servers compiled by Netcraft, the vulnerability could affect as many as 500,000 websites using digital certificates issued by trusted certificate authorities.

One of the worrying aspects of the bug is that it is difficult to know if any hackers have actually used it, for no trace is left of any malicious access to a website. So it remains unknown at present if cybercriminals or state-sponsored hackers had been exploiting the flaw prior to its public release.

It is to be assumed, however, that if the flaw has been spotted by security professionals then it will also have been spotted by some in the hacker community.

The issue has not been helped by the fact that the normal approach to handling the discovery of such a flaw was, it appears, not followed with Heartbleed. Normally the security companies are advised at the same time and all work to create patches for the flaw before it is publicly announced. That way, the security industry as a whole could present a coherent defence against it.

This time, however, it appears that the normal disclosure procedure broke down and only two companies, Google and Cloudfare, were informed early and had patched their services before the public disclosure.

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software, albeit in 64kByte chunks. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

As long as the vulnerable version of OpenSSL is in use it can be abused. Affected users should upgrade to OpenSSL 1.0.1g.

 

Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

 

Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use.

New state-of-the-art data centre features Vultr’s first AMD GPU supercompute cluster.
Only a quarter (25%) think their approach to the cloud is carefully considered and successful.
Moving to AWS Cloud will enable The Co-operative Bank to adopt cutting edge IT Infrastructure.
The global airline group will upgrade the value of its data and get its AI & generative AI ready...
Barracuda Networks’s award-winning Email Protection and Cloud Backup security solutions will be...
Leading company in renewables to leverage HPE’s unique turnkey AI infrastructure solution to...
The four-year project extension focuses on cloud transformation and enhanced operational efficiency...
Businesses in the UK are risking slower development as they fail to fully embrace technologies that...