Security flatlines with the discovery of Heartbleed
Whether we like it or not, we put a lot of trust and faith into the systems that carry our personal information. Our phones, our computers, and the ever-evolving “cloud,” are our repositories of the information we don’t want to memorize (phone numbers, calendar events, email archives, etc).
Some of this information is private or, even if it isn’t, it’s guarded by security measures to restrict access to personal spaces in these services. In today’s highly integrated society, knowing that access to those spaces are secure is a comfort that is enjoyed fairly implicitly.
We trust that the level of control we’re given will be enforced and maintained because we believe in the authentication model that has been in place for centuries.
Passwords, which have been used as far back as ancient Rome, are based on the simple idea to restrict access to a resource so that only people who are allowed are able to use it. But here’s the thing, passwords are getting old.
A password is nothing more than a piece of information and anyone with that token of knowledge has all of the privilege that goes with it. Passwords are old and a new system of authentication needs to be in place.
Technology changes at an extremely fast rate. An old security measure cannot possibly keep up with constantly changing security threats.
And every once and a while, we are reminded of the weaknesses built into the very foundation of our password dominated security system.
Last week, companies and users around the world were given a wake up call when a vulnerability was discovered. The vulnerability existed in technology that lets all of us use services like online banking, email and online shopping with little fear for our privacy.
This bug, dubbed Heartbleed, has existed since 2012 and there is no way to know if this bug was ever exploited.
OpenSSL, a software computers use to create secure connections with each other, was found to house the culprit bug in one of its most basic functions. For a better understanding of how the Heartbleed bug works, let’s walk through it step by step:
1. You tell your browser, “I’d like to connect to Gmail, please.” It says “okay” and hurries along to do your bidding, oh master.
2. It gets to Gmail where it is told, “Listen, let’s communicate securely.” Your browser happily agrees and begins an encrypted connection using SSL. Gmail uses OpenSSL to handle the connection, storing data you want in its memory before sending it to you. This could be emails, images of cats, etc.
3. While you’re looking at the emailed images of cats, your computer and Gmail want to keep the connection open for you, periodically poking each other saying things like “Hey, Gmail. Are you still there? If so, say this four letter word: cats.”
4. Knowing that your browser is trying to keep the connection open, Gmail will read the message, count all four letters, and respond to your browser’s message.
This step is called the “heartbeat” because, just as your heartbeat tells doctors you’re alive, so does this exchange between your browser and Gmail. If you are nefarious, though, you can do a little technical trickery to get more information than you ought to. Let’s jump back to step three.
Instead of sending a heartbeat message that makes sense, you send this: “Hey, Gmail. Are you still there? If so, say this 500 letter word: cats.”
In an attempt to keep the connection open, Gmail will read the message, count the four letters in “cats” and then keep counting. It will count all of the letters next to “cats” in its memory until it hits the 500th character and send all of the characters to you.
So, instead of receiving “cats”, you might receive “cats. Bob logged in with the password truffles.” and so on.
Now, before you shun technology and run off to live the Amish life, there is a measure of good news.
Due to the importance of OpenSSL, most online services using it have patched their servers to prevent the bug from working in the future. Also, most financial institutions and retailers do not use OpenSSL or were not vulnerable. And protecting yourself is easy. Just log in and change your password.
This bug was not the result of a malicious attack nor a devious ne’er-do-well putting a secret backdoor into OpenSSL. It was just a programming error, no more malicious than a waiter forgetting your drink.
But there is a deeper concern at play. Very few people would have cared if it just leaked the contents of random emails. That information is private, sure, but the effects aren’t long lasting.
It’s no more earth shattering than someone getting a random page from someone’s diary. But the fact that our passwords may have been leaked is what gives Heartbleed the skin crawling factor.
Which brings us right back to passwords. Heartbleed wouldn’t be an issue if everyone used a different password for every service they used, but the simple fact is that most of us don’t.
It’s hard keeping so many passwords in our heads and we’ve been told over and over not to write them down. So, we use the same password or batch of passwords and, thus, when one of those is leaked, it’s disquieting because it’s a fundamental breach in our sense of security.
What we need is something better than passwords. We could use biometrics but fingerprint readers are hardly foolproof and require a separate piece of hardware.
Companies, like Google, have been pouring money into this problem, but it’s understandably difficult to think outside of a paradigm that’s been around for literally a millennia. There are ways to beef up the power of passwords, like two-factor authentication, but that’s just a stopgap.
It’s going to take some truly revolutionary thinking to come up with something to replace passwords, but I hope it comes soon.