Bleeding hearts

It’s the first weekend after the announcement of CVE-2014-0160, aka “Heartbleed” and if you were to believe even a small fraction of what’s been written about it you’d think the world had come to an end. There’s a lot of nonsense. A lot of dumbed-down explanations seem to add more confusion (Randall Munroe’s angle is a notable exception). The detailed investigations will be read by many, but only understood properly by those who already understand.

As a consequence of this bug I’ve been particularly busy with many of the systems around the world in which I have a role (always behind the scenes). All is a bit quieter now, so I’ve had a chance to peruse what has been written, and a lot of it is pure nonsense or just misleading. I won’t embarrass the particularly guilty by linking to them (your favourite search engine can find them anyway). Instead, here are my own responses to some of the more notable ones:

Heartbleed Virus

No, it’s NOT a virus! It’s just a bug. A coding mistake for TLS/DTLS heartbeats made two years ago in a piece of very useful free software that many of us have come to rely on. The mistake means that some secure sites may be fooled into revealing some data that would normally be kept secret. That data might contain a password or something else that’s sensitive, but usually it just contains gibberish.

Error in the SSL specification

It’s not. The error was in the implementation, not the specification, and only in a very specific implementation of a popular (and well respected) realization of the specification, known as OpenSSL. The error was even missed during code review. It happens. People make mistakes. The repair involves just one line of code. (For the want of a shoe…)

Two thirds of all Web sites are affected

No! Two thirds of all Web sites use either Apache or nginx at their front door, and both of these make use of OpenSSL (where the bug appeared). However, the bug only affects certain versions (1.0.1 to 1.0.1f inclusive), and some investigators suggest that only one in six Apache/nginx sites are affected. That’s only a quarter of what the end-of-the-world people would suggest.

Scam to make us buy upgrades (and other conspiracy theories)

OpenSSL is free. Always has been, always will be. In almost all places where it has been used, it can be updated or patched. Again free. The behaviour of vendors, service providers, governments and others in the past few days suggests none of this was planned.

Hardware is not affected

Actually, some Internet hardware is affected. The router, switch or VPN box on the shelf is actually a small computer and it runs a lot of software. Cisco and Juniper announced during the week that certain hardware products contained faulty versions of OpenSSL, including workhorses like the WebEx Meetings Server (v2) and WebApp Secure. Repairing the bug may be a more complicated process, and is seldom automatic, so many hardware systems are going to remain vulnerable.

Bug only affects servers

Wrong. The mobile operating system Android, version 4.1.1, is already known to be vulnerable. That’s a client, not a server. The iPhone (and all Apple iOS systems, it would appear) is not affected because it does not use open source resources such as OpenSSL. Being a proprietary solution, iOS is busy cooking its own unique security bugs.

No way to detect if you are under attack

While there’s no way to determine if you were under attack in the past, it’s certainly possible to determine if you are under attack right now. The bug is exploited by sending the secure endpoint (e.g. Web server) a malformed message, which results in a response containing more data than it should. One can set up a modified version of the endpoint that detects such malformed messages. This is the concept behind the Heartbleed honeypots that will be used to trap malicious exploitation of the bug. One could even create a modified version of OpenSSL that in addition to repairing the bug, adds a logging operation to record the details of attackers.

It’s no coincidence that XP’s last day of support is the day Heartbleed hit

Yes it is.

Wait a minute. Back up a bit. My phone could be vulnerable?

Yes. Android or iOS, do an update. Now. If you are using some other mobile OS, do an update anyway. It shouldn’t hurt.

Only the Web is affected

In fact, any server supporting SSL is potentially vulnerable. One has to dig deeper to see if it is also using OpenSSL, and then check the version that it is using. The problem can affect email servers, database servers and so on.

People will have to buy new SSL certs

No. Once the affected server has been patched, just get the cert re-keyed. Most Certificate Authorities appear to be offering this service for free. The expiry date won’t change, but the keys that protect the cert will be different, so if your site was a victim of Heartbleed and leaked its keys then those old keys will be of little use any more. (Note: old keys can decrypt old recorded network traffic, but its unlikely that someone was recording encrypted traffic, right?) There are very few cases where a new certificate is necessary, and even fewer where new (possibly only temporary) domain names are needed. Client applications that use certificate pinning, for example, will create some complications that may result in spending money but most people can ignore this.

There’s plenty more I could say, but enough is enough.

Categorised as: Hardware, Networking, Security, Web, Web Protocols and Specifications

Comment Free Zone

Comments are closed.