R+p ALERT! SSL Security Bug Means You Need To Act Now by Chris Trayhorn, Publisher of mThink Blue Book, April 9, 2014 The biggest security flaw in Internet history hit the newslines last night. The massive Heartbleed vulnerability in OpenSSL, the encryption service on which two-thirds of web servers rely, means that potentially any password, security certificate or public/private key is now at risk. All Yahoo, Google and Facebook accounts have potentially been compromised, but so too are any commercial web services that use the OpenSSL standard, including performance marketing networks, payment processors, banks, ecommerce software providers and etailers. Many of these security scares are over-blown – this one is the real deal. In this blog, Revenue+performance has brought together for you the most important news commentary and technical resources. Security company Codenomicon broke the news on a dedicated website,Heartbleed.com: “The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.” Heartbleed is actually a small bug in a piece of logic that relates to OpenSSL’s implementation of the TLS ‘heartbeat’ mechanism. Johns Hopkins professor Matthew Green describes it as the result of a relatively mundane coding error: “a tiny vulnerability — a simple missing bounds check — in the code that handles TLS ‘heartbeat’ messages. By abusing this mechanism, an attacker can request that a running TLS server hand over a relatively large slice (up to 64KB) of its private memory space” What makes this enormously critical is that although the bug and the catastrophic security risk it brings was only revealed yesterday, the vulnerability has been around for two years. According to the Guardian: “The vulnerability was introduced in 2011, apparently by accident when the opensource code was updated, but the error was only spotted recently. That has raised fears that some attackers may already have been exploiting it to steal information.” “Unfortunately it is not clear at the moment that there is any way to know whether this (a site has been hacked) has already happened, since the vulnerability has been around for two years,” explains Matthew Bloch, the managing director of hosting company Bytemark. The simplicity of the security flaw means that hacking tools have almost instantly become available to buy on hacker web sites – assuming they haven’t already been available for the last two years. The bug not only lets attackers read confidential encrypted data; it also allows them to take the encryption keys used to secure the data. Even servers which fix the bug, using a patch supplied by OpenSSL, must also update all their keys or risk remaining vulnerable. All of this means that applying the OpenSSL patch is only the starting point on the multi-step path to Heartbleed recovery. Websites will need to replace their digital security certificates after applying the update, administrators and users will need to change any passwords used in the last two years. A final thought before we give you links to more reading: The Edward Snowden leaks have revealed that the NSA was for years devoting massive amounts of time and resources on accessing data secured by SSL. Some websites are already speculating that the NSA may have known and been exploiting this security flaw for the last two years. More proof-positive that the idea of an all-seeing, all-knowing security agency brings more danger than safety. If you want to read more, below is a list of sites with the complete information: The Heartbleed Bug – Heartbleed.com The Heartbleed Bug, explained – VOX ‘Heartbleed’: for hundreds of thousands of servers at risk around the world from catastrophic bug – The Guardian ‘Heartbleed’ Bug Exposes Passwords, Web Site Encryption Keys – Krebs on Security Heartbleed Bug In OpenSSL Makes It Worse Than No Encryption At All – techdirt List of top 1,000 website tested for vulnerability – heartbleed-masstest / top1000.txt – GitHub Filed under: Revenue About the Author Chris Trayhorn, Publisher of mThink Blue Book Chris Trayhorn is the Chairman of the Performance Marketing Industry Blue Ribbon Panel and the CEO of mThink.com, a leading online and content marketing agency. He has founded four successful marketing companies in London and San Francisco in the last 15 years, and is currently the founder and publisher of Revenue+Performance magazine, the magazine of the performance marketing industry since 2002.