Saturday, April 12, 2014

Heartbleed

TLS and its predecessor SSL are the protocols used to encrypt Internet traffic and verify the identity of servers. It's the "S" in "HTTPS" and it's what makes the little padlock appear next to the URL in your browser. OpenSSL is an open source package that implements them and is widely used (because it's free and security programming is hard). There are other implementations that are widely used too.

Last week a bug in OpenSSL was announced. It's known as the Heartbleed bug. It's in a new feature of TLS known as a heartbeat. Since setting up a secure connection is an involved process, if one is going to be reused, it's better to keep it open. Once a connection is set up, a client sends a ping to a server and asks for a response to know it's still alive and to know to keep the connection open.

The heartbeat request includes a string of text for the server to return so the client knows it's a current response. It's kind of like kidnapping victims posing in photos with today's newspaper. Dealing with strings can be tricky with computers, the request includes the number of characters in the string. The bug is that the server doesn't verify the stated length compared to the actual string length. An attacker, can send a malformed request and get random memory from the server. This memory can have anything in it. xkcd explains the bug really well:

So how bad is this? It's pretty bad but maybe not for you. It's in code that runs on servers, so unless you run a web server, there isn't any software for you to upgrade.

It's also a little difficult for an attacker to exploit. An attacker can send a malformed message whenever they want, but each time they'll get back random stuff in the server's memory and they'll have to figure out what that is. It's not like they hacked in and stole the password file and can then work at cracking passwords. I've seen differing reports about what information is potentially in the vulnerable portions of a server's memory, but the latest I've seen is that it can be a lot of sensitive stuff, virtually anything.

To be on the safe side, vulnerable sites are telling their users to change their passwords, but I think there are some issues with that blanket statement.

First, it's hard to know if web sites you use have been susceptible. The Heartbleed Hit List: The Passwords You Need to Change Right Now is a list of popular sites and whether they're affected. It turns out a lot of sites I use weren't affected, like Apple, Amazon, Twitter, LinkedIn, and most banks. Google was affected but says you don't need to change your password, but it's probably a good idea. I use Google's two-factor authentication so I'm not particularly concerned (I haven't lost my phone).

Another report says that about 37,400 of the top million sites are still affected as of April 9th. To put some of that in perspective Ars said, "The top domain vulnerable to the Heartbleed bug is Kaskus, an Indonesian social media site" which I've never heard of (the web is big, and not just in English speaking countries). Of course the reason a site is not affected could be good or bad. Maybe they don't use OpenSSL, maybe they're just using an old version (opening them up to other bugs which isn't a pleasant thought). Here's a list of the top 10,000 sites as of April 8th and their vulnerability, lots of popular sites are (were) vulnerable.

Also it doesn't help to change your password until you know the site is fixed. You can check specific sites yourself with this tool. Just enter the site name and it will tell you if it's okay or not.

The Heartbleed bug was introduced into code on Dec 31, 2011 and released in OpenSSL 1.0.1 on March 14, 2012. So sites might have been affected for as long as two years. Or less, it depends when they upgraded to version 1.0.1. My sense is that if information was compromised two years ago, you probably would have seen some effect by now. If you haven't, then you're probably ok. Of course now that the bug is public, if a site hasn't been fixed in the last week it's more likely that someone is using this attack. But if you haven't logged in it's unlikely your information is in the server's memory to be retrieved.

Here's another problem and it's one reason the tech community has been so upset about Heartbleed. It turns out that Heartbleed can allow an attacker to steal a server's private key. The way a user has a password, a server has a private key. As much of a pain as it is for users to change all their passwords, for a server to change its one password it must get it signed by a certificate authority. It turns out that just four companies verify the certificates of 90% of the Internet. They're very busy right now and getting a highly secure certificate involves real world verification that the server is who it says it is (kinda like getting a bank loan and verifying all the details of your employment) and can be expensive.

With a compromised private key, some evil site could impersonate a real site, which means instead of telling the real site information like your password and shipping address, you could be telling a thief that information. Unfortunately there's no easy way to know if a site you use has updated it's certificate since Heartbleed. Your browser can show you the certificate (in Safari you click on the padlock icon) but mine just shows the certificate's expiration date, not the issue date. And remember, more secure certificates take longer to get. You might make some guesses, looking now at Facebook's certificate I see it expires in exactly 1 year, I'm guessing they just got a new one that's good for a year.

Unfortunately it gets even worse. It turns out some networking devices like VPN and switch products are vulnerable to the bug. Juniper and Cisco have issued advisories. I don't really understand the extent of this news. I know that to fix some of these devices people need to buy new hardware. I don't know if network hardware between you and a destination server could be affected and expose your information and if you could tell (though I'm guessing not).

So here's what I'm doing.

  • I checked my commonly used site on the list and found I'm not too exposed. If you are, you should proceed more quickly.
  • I'll wait a little bit (another week or so) and then change all my passwords following the advice I wrote two years ago in Web Passwords. I'm not sure it's needed but it's good password hygiene to change them every once in a while, and it's been two years for me.
  • I'm not opening new accounts on unfamiliar (or small) web sites in the near future. Certainly not without checking their Heartbleed exposure with this tool.
  • I'm not logging into sites I have accounts at until I check their vulnerability. If I haven't logged in in a year, my info isn't in the server's memory to be stolen.
  • I'll go through this list and enable two-factor authentication on as many accounts as I can. I already do it for Google and Apple and it works great and isn't a big annoyance at all.
  • Make sure your browsers are setup to verify certificates. On a Mac that means open Keychain Access and go to its preferences and make the third tab look like this: Screen Shot 2014 04 12 at 3 15 16 PM

A couple of articles I've found interesting...

This seems a pretty level headed description of what it means for the average person on the Internet. Heartbleed and passwords: don’t panic.

This stackexchange posting offers a few views of what to do, Should I change all my passwords due to heartbleed.

This incident makes the case that we need to change how we fund (or currently don't fund) projects providing critical infrastructure of the Internet. How Heartbleed Broke the Internet — And Why It Can Happen Again.

While Man who introduced serious 'Heartbleed' security flaw denies he inserted it deliberately, Bloomberg reports NSA Said to Exploit Heartbleed Bug for Intelligence for Years. "The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said." I note the "two people" appear to be anonymous. However, the NSA denies it knew about Heartbleed, Statement on Bloomberg News story that NSA knew...

I'm guessing the bug was a pure accident and that the NSA probably knew about it before last week.

Here's a slightly fluffy piece, Behind the Scenes: The Crazy 72 Hours Leading Up to the Heartbleed Discovery and a nice first hand account of an affected web service, When servers bleed

And for fun, Why The Security Bug Heartbleed Has A Catchy Logo

4 comments:

The Dad said...

Yesterday I decided to change my Gmail pwd, and while I was at it set up my 2-step authorization. Well, that killed more than an hour by the time I was done. Having never done it before or even read about it, I was not quite sure how the various iDevices would deal with it, so I had to learn about app-specific passwords as I went. And now I've got to do the same for my wife's, my daughter's, and another google account I use. Painful.On the other hand it was a good opportunity to document everything in Evernote, something not affected by Heartbleed.

Howard said...

Sounds about right. Google does suck at documentation. Took me about an hour, and you have to get app-specific passwords for different apps on different devices. But, I haven't had to do anything about it since setting it up. Occasionally I've been sent text message with a code, I think usually for a new app or when logging in from a new wifi network, but that's it.

Megs said...

A belated thanks for the post, Howard, and all the info! I've just changed my relevant passwords, although am a bit concerned as didn't have to take an hour with Google (maybe because I already have 2-step verification, and I don't have a lot of devices?)

And, fyi, the link you have to the 10000 sites .... "link not found"

Howard said...

Link fixed. Thanks.