Even as the Heartbleed bug that has infiltrated Web sites and threatened millions of users runs its course, its impact is being assessed. And, as the extent of the vulnerability increases, a question is whether Heartbleed has set a milestone in Web security
On Monday, a critical vulnerability was made public in some versions of the encrypting technology OpenSSL, which is used by hundreds of thousands of Web sites. The vulnerability was apparently undetected for nearly two years, and hackers can exploit it without leaving any sign they did so.
OpenSSL uses SSL/TLS encryption for security and privacy in Web sites, e-mails, instant messaging and other applications. The vulnerability could allow a hacker to steal sensitive data, including user names, passwords, and the keys used to decode encrypted transmissions.
A fix has been released and is being implemented by many sites. According to The Heartbleed Bug site, the bug is not a design flaw in the SSL/TLS protocol spec, but rather is an "implementation problem, i.e., programming mistake in popular OpenSSL library that provides cryptographic services."
On Friday, Reuters news service reported on recent warnings from security experts that the bug may be greater than just Web servers. The reason is that the unpatched OpenSSL code is also used in some e-mail servers, users' computers, smartphones and firewalls. There are also reports that version 4.1.1 "Jelly Bean" of Google's open-source operating system, Android, also has the same vulnerability, which, if accurate, would magnify the problem by millions of smartphones.
Security expert Jeff Moss, for instance, told Reuters that he is waiting for an enterprise firewall patch from McAfee. Cisco, Intel and other major technology companies are reportedly reviewing their products now to see if they are affected by the vulnerability.
Given the extent of the vulnerability, one question is whether Heartbleed represents the biggest security threat yet for the Web.
'As Long as It's Fixed'
Lawrence Orans, vice president for research at industry research firm Gartner, told us that "the problem with Heartbleed is that the burden is on the consumer to change passwords on multiple Web sites." He added that "it's a bigger pain in the neck than upgrading to the next level of iOS. Most consumers won't change their passwords, but they will be at risk."
John Grady, program manager for security products at IDC, said that "any time there's a vulnerability this broad, its a huge deal because of the lack of awareness among many consumers relative to best practices for online safety." He noted that "there's always the risk that vulnerabilities like this are going to be discovered, but I don't think that this is going to open the floodgates."
On the question of whether this is the biggest threat, Gartner security analyst Avivah Litan commented to us that "it depends how you look at it." She pointed out that, "as long as it's fixed," it is a manageable issue. On the bright side, Litan said, the disclosure of the bug and the quick fix "is what open source is all about."
"Who knows," she said, "if a big company had discovered this kind of error, would they have [similarly] publicized it?"
Litan also said that cybercriminals apparently were equally in the dark about the existence of this flaw, because, if they had known, they would have been using it over the last two years "to grab everything in memory." But, she said, "cybercriminals have not been using this vector, as far as we've been told."
Half-jokingly, she noted that it remains to be seen if the U.S. National Security Agency has been tapping into sites over the last two years through Heartbleed.